From l.lech at ringler.ch  Fri Mar  1 02:40:20 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Fri, 1 Mar 2019 07:40:20 +0000
Subject: [keycloak-user] Logging in with admin REST API as user with OTP
Message-ID: <5E48B917000C984B86B77170F441903A18949E6E@exch.ringler.ch>

Hello,

Is it possible to log in as a user with OTP using Admin Rest API?

I haven't found any hint and I don't see appropriate fields in org.keycloak.admin.client.KeycloakBuilder that could allow that. After activating OTP my code fails (which is expected, otherwise it will undermine the purpose of OTP).

Best regards,
Lukasz Lech


From Johny.Dee at seznam.cz  Fri Mar  1 06:47:34 2019
From: Johny.Dee at seznam.cz (Vaclav Havlik)
Date: Fri, 01 Mar 2019 12:47:34 +0100 (CET)
Subject: [keycloak-user] role-mappings.
References: <Doy.4PWr.Pn2CCWCX9T.1STH3e@seznam.cz>
	<CAAskycTiCNeW3FtCBebYeZLTjk68Hf91RsOn2JM3Btvn5oNB4g@mail.gmail.com>
	<EJO.4PZe.3WJ9x5SuaNn.1STfbe@seznam.cz>
Message-ID: <1Pz.4PY}.2qr}U9Hb8AO.1SUHlM@seznam.cz>

Sorry, my fault.
The JSON must be


[
   {
      "id : "<ID of the role view-realm>",
      "name" : "view-realm"
   }
]
V.


---------- P?vodn? e-mail ----------
Od: Vaclav Havlik <Johny.Dee at seznam.cz>
Komu: Martin Kanis <mkanis at redhat.com>
Datum: 27. 2. 2019 15:06:32
P?edm?t: Re: [keycloak-user] role-mappings. 
"Thank you. It helped to put clientID instead of clientName . So this helped
for HTTP GET.

But when I do HTTP POST to assign roles to a user on the? client realm-
management (id = 6c168708-18bd-4453-8b1e-8dc36223d5bd), then
I get HTTP 404.

I am attaching Wireshark communication with first GET (200) and then POST 
(404).

Could you pls tell me again? Venca.


---------- P?vodn? e-mail ----------
Od: Martin Kanis <mkanis at redhat.com>
Komu: Vaclav Havlik <Johny.Dee at seznam.cz>
Datum: 26. 2. 2019 15:31:45
P?edm?t: Re: [keycloak-user] role-mappings. 
"Hi, 

first of all the last part of your path should be client's id not name. 
This might be sometimes confusing. Here is the example of valid path: 

http://localhost:8080/auth/admin/realms/master/users/be1b9781-336a-4e60-9694
-c5be74eac7b3/role-mappings/clients/c9cb881f-4e21-4e4b-8de1-f39897088b61 
" 

Second you have to provide a valid authorization to your request. For 
example using a bearer token. 

curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer 
<here_provide_valid_access_token>" "correct/path/from/above". 

To obtain an access token using the grant_type password (there are other 
alternatives as well) you can use: 

curl -X POST --data 
"grant_type=password&client_id=admin-cli&username=admin&password=admin" -H 
"Content-Type: application/x-www-form-urlencoded" " 
http://localhost:8080/auth/realms/master/protocol/openid-connect/token" 

Hope this helps, 

Martin 



On Tue, Feb 26, 2019 at 11:15 AM Vaclav Havlik <Johny.Dee at seznam.cz> wrote: 

> Hello, 
> can I ask you again? 
> 
> I would like do assign some specific roles (view-realm, manage-users) on 
> the 
> client realm-management to a user . 
> 
> Via REST API, I cannot, however, even display the role-mappings by doing 
> HTTP GET on 
> /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- 
> mappings/clients/realm-management 
> 
> (Gives HTTP 404, xxx is my realm). 
> 
> But, if I take my own client, whose name is web_app, then the request 
> /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- 
> mappings/clients/web_app 
> 
> works (HTTP 200), giving empty array. 
> 
> When doing this, I follow instructions on 
> https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_client_role_ 
> mappings_resource 
> 
> Can you tell me, what the problem is? 
> Thank you, Venca. 
> _______________________________________________ 
> keycloak-user mailing list 
> keycloak-user at lists.jboss.org 
> https://lists.jboss.org/mailman/listinfo/keycloak-user 
> 
_______________________________________________ 
keycloak-user mailing list 
keycloak-user at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-user 
""

From Artur.Kostka at bosch-si.com  Fri Mar  1 06:56:53 2019
From: Artur.Kostka at bosch-si.com (Kostka Artur (BCI/ESW25))
Date: Fri, 1 Mar 2019 11:56:53 +0000
Subject: [keycloak-user] Make kid optional in SignedJWT
Message-ID: <b8a244535cd44ea5921b228d4a5f372c@bosch-si.com>

Hi,

I have a question according .NET, Keycloak and Signed JWT (https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_authentication_adapter)

Right now we want to create a Signed JWT from .NET in order to retrieve our access token. There is no library available and OWIN is deprecated, so we decided to implement the required JWT by ourselves.
This is not a big deal, but we are struggling, because the native .NET returns a different value compared to the Keycloak  implementation (JWTClientCredentialsProvider.java - createSignedRequestToken(...)<https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java>), when calculating the kid for the token header.

The .NET calculated kid causes Keycloak to return an error message, it is obviously different from the one calculated with the Keycloak adapter. We could figure out that the .NET and the Keycloak adapter are calculating the kid differently.

As we investigated further https://tools.ietf.org/html/rfc7515#section-4.1.4 specifies that this kid parameter is optional and just a hint for the authorization server.
Are there any plans to change this behavior according RFC7515 and make the kid optional?

Cheers,
Artur

Best regards / Mit freundlichen Gr??en / ?dv?zlettel / ???????

Mr. Artur Kostka
Bosch Connected Industry ? BCI/ESW25
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Phone +49 7545 202-256 | Fax +49 7545 202-301 | Artur.Kostka at bosch-si.com

Sitz: Berlin, Register court: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn


From pkboucher801 at gmail.com  Fri Mar  1 07:11:05 2019
From: pkboucher801 at gmail.com (pkboucher801 at gmail.com)
Date: Fri, 1 Mar 2019 07:11:05 -0500
Subject: [keycloak-user] CVE-2018-14637 temporary mitigation with
	compensating controls?
Message-ID: <000201d4d027$d932e400$8b98ac00$@gmail.com>

This
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-14637&vec
tor=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H says that a SAML response from an
external IdP can be replayed, because the expirations of the assertions are
not checked (fixed in 4.6.0).

The questions I have are about temporary mitigation before deploying version
4.6.0+.

1) Doesn't Keycloak enforce a one-time use restriction, so that no SAML
response from an IdP could be reused?
2) If you have "last mile" TLS, so that the SAML responses are never
transmitted in the clear, wouldn't that preclude an attacker from capturing
a response in order to replay it?
3) Are there any other configurations or controls useful in temporary
mitigation (e.g., IP whitelisting, so that SAML responses can only get in
from the IdP's CIDR ranges)?

Thanks!

Regards,
Peter




From roxspring at imapmail.org  Fri Mar  1 08:53:54 2019
From: roxspring at imapmail.org (Robert Oxspring)
Date: Fri, 1 Mar 2019 13:53:54 +0000
Subject: [keycloak-user] =?utf-8?q?Token_Exchange_=E2=80=9CPermission_Upgr?=
	=?utf-8?b?YWRl4oCd?=
Message-ID: <6A8CD1DE-CF68-43C2-8224-A9C002AE3DCF@imapmail.org>

Hi

I?ve been reading about token exchange and wondered if somebody could confirm whether it?s the right choice for my situation...

We have users connecting to a ?front end? service and are able to establish an audit trail of who did what. We also have a ?back end? service which the end users typically don?t have permission to use, but is needed to power some functions of the ?front end? service. 

So far we?ve been using a service token within ?front end? to make calls on the ?Back end? on behalf of the requesting user. This  correctly allows the user to trigger some restricted back end behaviour without having direct access to the back end service, but means that the backend service has lost track of who it?s operating on behalf of and so the audit trail becomes unclear. 

Would it be viable & sensible to instead have the front end exchange the user token for one that has elevated privileges (that the user doesn?t normally have) to the backend service and use that token to make downstream calls?

The token exchange docs explicitly mention the possibility of using exchange to downgrade permissions, I?m not clear if they can also be used to upgrade permissions as I describe!

https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc

Am I on the right track here or should I be looking at something else entirely?

Thanks,

Rob

From Ted.Belser at dodiis.mil  Fri Mar  1 11:00:32 2019
From: Ted.Belser at dodiis.mil (Belser, Ted L CTR DIA (US))
Date: Fri, 1 Mar 2019 16:00:32 +0000
Subject: [keycloak-user] Concurrent OAuth handshakes overwrites
 OAuth_Token_Request_State cookie
Message-ID: <9F85435AFB6D854E90D8EA8412A9FEF80160AB10B4@NEDIACDAG001AN.dodiis.mil>

Hello,

I'm encountering an issue with the OAuth sequence that occurs because of a
unique combination of components.

We are deploying keycloak protected web applications into an OpenShift
environment.  The web applications must be accessible through an Ozone
Widgets Framework (OWF) portal.  These are immovable constraints.  It's a
government system and therefore cannot be easily changed.  I'd drop OWF if I
could.

The OWF portal is mapped to a client in Keycloak and is a protected
resource.  OWF is a way to bring multiple applications into a single browser
window (via inline frames).  Each application (mapped into an Iframe in OWF,
and an App in Openshift) is protected by keycloak.  The applications are
each keycloak clients within the same realm as the OWF client. 

When the OWF page loads, it first attempts to authenticate the user via
normal keycloak mechanisms.  This authentication and authorization completes
successfully.  However, once the OWF portal is loaded into the browser, it
begins opening the user's widgets concurrently.  Each of the widgets is an
OpenShift application (specifically a wildfly application using the Keycloak
client adapter).  As a consequence, each of the widgets needs to establish a
security context.  While running thought the redirect sequence between the
app, keycloak, and back to the app, a cookie is exchanged.  The cookie's
name is OAuth_Token_Request_State.  The problem arises when there are
multiple apps attempting to establish their security context concurrently.
When this happens, the OAuth_Token_Request_State is overwritten.  As a
result, all but one of the apps fail to establish the security context
because the cookie value does not match the OAuth state.  As a result, most
of the widgets on the screen do not load.  It's possible to reload the
widgets and the authentication process completes successfully, but forcing
users to reload is clearly a UX problem.

Is it possible to fix this by changing the name of this cookie to include a
unique string?  If the cookie name is unique, it won't be overwritten.  When
the user agent is redirected back to the client, it will include the
uniquely named cookie and the verification of the OAuth state will succeed.
The name of the cookie appears to be an implementation detail of OAuth 2.0,
not a SHALL.  It seems like this could be changed and still comply with the
standard.  I cloned the code and found where the cookie name is set.  I can
make the modification and rebuild the adapter, but I wanted to be sure I
wasn't causing another problem.  It seems pretty straightforward.

Again, I'd prefer to drop OWF from the architecture and not worry about
this, but that's not an option.

Thanks,
Von Belser

-----
Ted L. Belser II
Contractor - EAMS Software Engineer
sub-contracting to Northrop Grumman
Burnt Toast Labs Inc. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5401 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190301/f5dfa09f/attachment.bin 

From mdailous at forensiclogic.com  Fri Mar  1 11:04:32 2019
From: mdailous at forensiclogic.com (Michael Dailous)
Date: Fri, 1 Mar 2019 16:04:32 +0000
Subject: [keycloak-user] How to add custom details to login event
Message-ID: <BYAPR09MB25499BFA9171E6550AA16642D6760@BYAPR09MB2549.namprd09.prod.outlook.com>

We've added an additional field on the Keycloak login page that requires justification for system use. I've been searching for how to include this in the login event, and have found references to a login event "details", which allows the addition of "any custom field you want", but I can't find any information regarding how to actually add new fields. The thread I found this on is rather old (September 2016), but I'm hoping the information is still valid: http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008179.html

Can someone provide some information on how to add a new value to the details of the login event so that information gets logged?

Thank you,
Michael


[cid:c78eef4c-3b3b-4bbc-bf12-c060eb7502c7]

Michael Dailous
Sr. Software Engineer
Forensic Logic / COPLINK
520.732.1725
mdailous at forensiclogic.com<mailto:mdailous at forensiclogic.com>
www.forensiclogic.com<http://www.forensiclogic.com/>




-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8324 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190301/2fbfbd0c/attachment-0001.png 

From tom at spicule.co.uk  Fri Mar  1 13:15:43 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Fri, 1 Mar 2019 10:15:43 -0800
Subject: [keycloak-user] Javascript Check SSO and Token Validity
Message-ID: <CADibaRyRJ+8Yt17_SoyzkXybVqNuJFkjVFrANZFkmkOFzMcAMA@mail.gmail.com>

Hi folks,

I need some help understanding the flow a bit to make sure I can explain
stuff, or just figure out if things are wired up correctly.

Using the Javascript adapter we login using Check SSO to check the validity
of the session. My developer then has a token validity check in place

    keycloak
          .updateToken(
            KC_UPDATE_TOKEN_INTERVAL / 1000 /* 1s = 1000 milliseconds */
          )
          .success(refreshed => {
            if (refreshed) {
              console.log('Token was successfully refreshed');
              updateLocalStorage(keycloak);
            } else {
              console.log('Token is still valid');
            }
          })
          .error(() => {
            // Failed to refresh the token, or the session has expired
            keycloak.logout();
          });

This runs on a timer. But, if you terminate a session in key cloak it
doesn?t log you out( we also have the checkLoginIframe disabled).

So, if checking the token a valid way of detecting a session? And what?s
the deal with terminating your session?

Thanks and apologies for the relatively dumb question!

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From Pavel.Micka at zoomint.com  Sat Mar  2 06:14:43 2019
From: Pavel.Micka at zoomint.com (Pavel Micka)
Date: Sat, 2 Mar 2019 11:14:43 +0000
Subject: [keycloak-user] Fine Graned user permission in Admin console
Message-ID: <e13ae96f0e1846b088b40318114be1a8@zoomint.com>

Hello everyone,


we will be using fine grained user permissions in admin console in our application. The motivation is simple: customers will be managing their realms directly in Keycloak and we want to make sure that they will not jailbreak (assign higher privileges than they currently have).


We have noticed that this feature is in preview, even though it seems that is in Keycloak from version 3.2.0 (https://issues.jboss.org/browse/KEYCLOAK-3444).


We would like to ask if there are any plans to make it "official"/default part of installation. Or if there are some plans to change the functionality in upcoming versions (so we do not base our solution on this feature only to be discontinued in next version of Keycloak).


Thanks very much for any info.


Regards,


Pavel

From eddy.rowking at gmail.com  Sun Mar  3 17:06:35 2019
From: eddy.rowking at gmail.com (Eddy Rowking)
Date: Sun, 3 Mar 2019 23:06:35 +0100
Subject: [keycloak-user] [ Keycloak - user ] Spring boot application
 configuration - How can I inject ROLE got from OtherClaims to configuration
 class?
Message-ID: <CABhEf+72XLKPAqbcFGVOM1JduqUMK8yb6Dq7WbMx+iKEwv5pRQ@mail.gmail.com>

Hello everyone,

I am trying to configure a spring boot application.

How can I inject ROLE got from OtherClaims to configuration class?

I get Roles from other claims the user endpoit url as you can see below:

public class GetRolesFromOtherClaims
{
    private final String keycloakServerUrl =
"https://my-authentication-server.fr";
    private final String keycloakRealm = "MY-REALM";

    public RolesDto[] getRoles() throws IOException
    {
        URI userInfoUri =
KeycloakUriBuilder.fromUri(this.keycloakServerUrl).path("/auth/realms/MY-REALM/protocol/openid-connect/userinfo").build(this.keycloakRealm);

        KeycloakClientRequestFactory factory = new
KeycloakClientRequestFactory();
        KeycloakRestTemplate template = new KeycloakRestTemplate(factory);
        ResponseEntity<UserInfo> response =
template.getForEntity(userInfoUri, UserInfo.class);

        UserInfo infos = response.getBody();
        String autorisations =
infos.getOtherClaims().get("autorisations").toString();
        ObjectMapper mapper = new ObjectMapper();

        RolesDto[] rolesDtos = mapper.readValue(autorisations,
RolesDto[].class);

        return rolesDtos;
    }

}


You can see below my configuration classes:

@Configuration
@EnableWebSecurity
@ConditionalOnProperty(name = "keycloak.enabled", havingValue =
"true", matchIfMissing = true)
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class KeycloakConfigurationAdapter extends
KeycloakWebSecurityConfigurerAdapter
{
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
    {
        return new NullAuthenticatedSessionStrategy();
    }

    @Bean
    public KeycloakConfigResolver KeycloakConfigResolver()
    {
        return new KeycloakSpringBootConfigResolver();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
    {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
        SimpleAuthorityMapper simpleAuthorityMapper = new
SimpleAuthorityMapper();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(simpleAuthorityMapper);
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
                .sessionManagement()
                .sessionAuthenticationStrategy(sessionAuthenticationStrategy())

                .and()
                .addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)

.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)

.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())

                .and()
                .logout()
                .addLogoutHandler(keycloakLogoutHandler())
                .logoutUrl("/logout").logoutSuccessHandler(
                (HttpServletRequest request, HttpServletResponse
response, Authentication authentication) ->
response.setStatus(HttpServletResponse.SC_OK))
                .and().apply(new CommonSpringKeycloakSecuritAdapter());
    }
}

public class CommonSpringKeycloakSecuritAdapter extends
AbstractHttpConfigurer<CommonSpringKeycloakSecuritAdapter,
HttpSecurity>
{
    @Bean
    CorsFilter corsFilter()
    {
        return new CorsFilter();
    }

    @Override
    public void init(HttpSecurity http) throws Exception
    {
        http
                .csrf().disable()
                .addFilterBefore(this.corsFilter(),
SessionManagementFilter.class)
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()
                .authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll()
                .anyRequest().authenticated();
    }
}


Thanks for you help!

Eddy,

From flezria at gmail.com  Mon Mar  4 04:40:07 2019
From: flezria at gmail.com (Filip Andersen)
Date: Mon, 4 Mar 2019 10:40:07 +0100
Subject: [keycloak-user] Keycloak 4.8 check if user has role
Message-ID: <CALOfy_zRXj9+Z-bbC2-Hx=XRFFLCTqHjHi4eQKQ6a=SyX3qdLw@mail.gmail.com>

Hello
Is there any way to check via Rest API if a user has the appropriate role
for accessing the resource? I was thinking it would return a boolean
depending on the outcome?
Thanks in advance

From mposolda at redhat.com  Mon Mar  4 06:04:28 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 4 Mar 2019 12:04:28 +0100
Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
In-Reply-To: <5E48B917000C984B86B77170F441903A18947B49@exch.ringler.ch>
References: <d9a595ab-53df-d393-1dc1-e5e9bb802ca4@redhat.com>
	<5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch>
	<CAJgngAee6KyemxJ-628ztOwQDZFWWnkHXq-=CSTwnRD53o9Awg@mail.gmail.com>
	<5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch>
	<CAJgngAeAw-0Yo+VETSih5=w0c=f24+2ONgFxcDgdb4v20KTAwg@mail.gmail.com>
	<5E48B917000C984B86B77170F441903A1894796E@exch.ringler.ch>
	<11099e08-b271-9ca4-fdbb-c80b1bec0fa6@redhat.com>
	<5E48B917000C984B86B77170F441903A18947B49@exch.ringler.ch>
Message-ID: <568efbbf-5257-0ee2-c9d1-8c45dbad4ffd@redhat.com>

For now, we just remove the automated tests and we deprecated jaxrs 
filter. This change will be from Keycloak 5.0.0

We may remove the filter itself in some later Keycloak 6.X, so if you 
want to keep using it, I suggest to fork it into your repository and we 
can then reference it from the extensions page [1] as a an extension 
maintained by community.

[1] https://www.keycloak.org/extensions.html

Thanks!
Marek

On 26/02/2019 16:38, Lukasz Lech wrote:
> Hello,
>
> The problem with handling security in external layer is, that the Principal will not be available in SecurityContext of JAX-RS, and the services registered by JAX-RS doesn't have access to this external context, only to JAX-RS context.
>
> The best solution would be probably to push the project to separate community-owned repository. It could be marked as deprecated or not officially supported, but  it will be still possible to find via search engine, in case someone need it.
>
> OSGi is a bit niche technology because of hard learning curve and unsatisfactory documentation, and it will be likely even more niche in the future because of the growth of containerization, which allows to achieve the same goal as OSGi with others means...
>
> Best regards,
> Lukasz Lech
>
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Dienstag, 26. Februar 2019 15:22
> To: Lukasz Lech <l.lech at ringler.ch>; stian at redhat.com
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>
> It seems we have 3 options:
> 1) Keep jaxrs filter adapter in the keycloak codebase and start to officially support it. In this case, we will need some better docs and maybe quickstart?
> 2) Deprecate it in the keycloak codebase and remove in next version (Keycloak 6.X probably?)
> 3) Remove directly from keycloak codebase
>
> In case (2) or (3), it will be nice if you Lukasz (or someone else from
> community) will maintain Jaxrs filter as an extension. In this case, it can be listed from the extensions page https://www.keycloak.org/extensions.html .
>
> Your use-case looks ok, but it seems that we didn't have much other requirements to maintain separate adapter for Jax RS filter. From quickly looking at osgi-jax-rs-connector documentation, it seems that connector still needs to be deployed on top of the servlet container or Http Servlet filter, which Keycloak has adapter for, so you can always secure at that level though. I don't think that we want (1) .
>
> My order of preference is 3, 2, 1. Thoughts?
>
> Marek
>
> On 25/02/2019 15:49, Lukasz Lech wrote:
>> I?m using jax-rs connector implementation from Eclipse tema (https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation injected in jax-rs context, and AFAIK this library was the only implementation that provided that.
>>
>> But never mind, I assume I can use current version, if it wasn?t
>> maintained anyway?
>>
>> Best regards,
>> Lukasz Lech
>>
>>
>> From: Stian Thorgersen [mailto:sthorger at redhat.com]
>> Sent: Montag, 25. Februar 2019 15:33
>> To: Lukasz Lech <l.lech at ringler.ch>
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>>
>> Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc..
>>
>> On Fri, 22 Feb 2019 at 08:26, Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>> wrote:
>> Hmm which is a proper adapter for JaxRS then? I?ve found only that
>> one?
>>
>>
>> From: Stian Thorgersen
>> [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
>> Sent: Freitag, 22. Februar 2019 07:36
>> To: Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>>
>> Cc: keycloak-user
>> <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
>> Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter
>>
>> Why not use one of the proper adapters for the container you are deploying to?
>> On Thu, 21 Feb 2019, 14:51 Lukasz Lech, <l.lech at ringler.ch<mailto:l.lech at ringler.ch><mailto:l.lech at ringler.ch<mailto:l.lech at ringler.ch>>> wrote:
>> Hello,
>>
>> I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel...
>>
>> If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project?
>>
>>
>>
>>
>> Best regards,
>> Lukasz Lech
>>
>>
>> -----Original Message-----
>> From:
>> keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lis
>> ts.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mailto:keyc
>> loak-user-bounces at lists.jboss.org>>
>> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bou
>> nces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mai
>> lto:keycloak-user-bounces at lists.jboss.org>>] On Behalf Of Marek
>> Posolda
>> Sent: Donnerstag, 21. Februar 2019 10:21
>> To:
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><ma
>> ilto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>> g>>
>> Subject: [keycloak-user] Removing JaxrsBearerTokenFilter
>>
>> Keycloak team things about removing JaxrsBearerTokenFilter.
>>
>> Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters).
>>
>> Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th.
>>
>> See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" .
>>
>> Thanks,
>> Marek
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><ma
>> ilto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>> g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><ma
>> ilto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>> g>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From Ted.Belser at dodiis.mil  Mon Mar  4 09:31:29 2019
From: Ted.Belser at dodiis.mil (Belser, Ted L CTR DIA (US))
Date: Mon, 4 Mar 2019 14:31:29 +0000
Subject: [keycloak-user] Concurrent OAuth handshakes overwrites
 OAuth_Token_Request_State cookie
Message-ID: <9F85435AFB6D854E90D8EA8412A9FEF80160AB11B9@NEDIACDAG001AN.dodiis.mil>

Hello,

I'm encountering an issue with the OAuth sequence that occurs because of a
unique combination of components.

We are deploying keycloak protected web applications into an OpenShift
environment.  The web applications must be accessible through an Ozone
Widgets Framework (OWF) portal.  These are immovable constraints.  It's a
government system and therefore cannot be easily changed.  I'd drop OWF if I
could.

The OWF portal is mapped to a client in Keycloak and is a protected
resource.  OWF is a way to bring multiple applications into a single browser
window (via inline frames).  Each application (mapped into an Iframe in OWF,
and an App in Openshift) is protected by keycloak.  The applications are
each keycloak clients within the same realm as the OWF client. 

When the OWF page loads, it first attempts to authenticate the user via
normal keycloak mechanisms.  This authentication and authorization completes
successfully.  However, once the OWF portal is loaded into the browser, it
begins opening the user's widgets concurrently.  Each of the widgets is an
OpenShift application (specifically a wildfly application using the Keycloak
client adapter).  As a consequence, each of the widgets needs to establish a
security context.  While running thought the redirect sequence between the
app, keycloak, and back to the app, a cookie is exchanged.  The cookie's
name is OAuth_Token_Request_State.  The problem arises when there are
multiple apps attempting to establish their security context concurrently.
When this happens, the OAuth_Token_Request_State is overwritten.  As a
result, all but one of the apps fail to establish the security context
because the cookie value does not match the OAuth state.  As a result, most
of the widgets on the screen do not load.  It's possible to reload the
widgets and the authentication process completes successfully, but forcing
users to reload is clearly a UX problem.

Is it possible to fix this by changing the name of this cookie to include a
unique string?  If the cookie name is unique, it won't be overwritten.  When
the user agent is redirected back to the client, it will include the
uniquely named cookie and the verification of the OAuth state will succeed.
The name of the cookie appears to be an implementation detail of OAuth 2.0,
not a SHALL.  It seems like this could be changed and still comply with the
standard.  I cloned the code and found where the cookie name is set.  I can
make the modification and rebuild the adapter, but I wanted to be sure I
wasn't causing another problem.  It seems pretty straightforward.

Again, I'd prefer to drop OWF from the architecture and not worry about
this, but that's not an option.

Thanks,
Von Belser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5401 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190304/e41f5f71/attachment-0001.bin 

From akula2000 at protonmail.com  Mon Mar  4 15:27:13 2019
From: akula2000 at protonmail.com (akula2000)
Date: Mon, 04 Mar 2019 20:27:13 +0000
Subject: [keycloak-user] add config to authentication execution
Message-ID: <XoLFUjBQ9pxmU1JSRVArGSIELDCPhhnt9t14hb9LU2m1XipNTNCsJ94lLbjX2cao7IrifSRHJl-Zn1siGhtcn84jGnphfgZirQgJ-oEBZcg=@protonmail.com>

Dear all,
im having trouble automating my keycloak configuration via kcadm/rest api. I would like to add a config to authentication execution, which seems to be impossible without knowing the execution id. What I'm doing:

kcadm create authentication/executions/%execution_id%/create -r realm_name -s alias=alias_name -s "config.defaultProvider=saml"

I would like to avoid using the %execution_id% and use maybe an execution name or an alias or something like that as the id is unknown until the realm is created, which is done from the script.
I could get it first and then parse it, however my script is written in cmd batch and... honestly haven't found a way to parse it neatly. If there is a nice clean way to do it than that'll do as well. Is there maybe a third way to do this?

I am very grateful since this is the only part of my config that i couldn't figure out.
Thanks a LOT,
miro

From andrewm659 at yahoo.com  Mon Mar  4 15:39:46 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Mon, 4 Mar 2019 20:39:46 +0000 (UTC)
Subject: [keycloak-user] Database backend issue
References: <683306387.8457822.1551731986054.ref@mail.yahoo.com>
Message-ID: <683306387.8457822.1551731986054@mail.yahoo.com>

Hello,
I am trying to setup Keycloak on CentOS 7 (latest).? This is a standalone machine.?

My remote MariaDB server is running 10.2.x latest.

I was trying to run Keycloak latest with mysql-java-connector-5.1.46 and got the following results:
Caused by: java.lang.RuntimeException: Failed to connect to database? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:381)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154)? ? ? ? ... 31 moreCaused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException]? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)? ? ? ? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:374)? ? ? ? ... 43 more

I have tried using newer versions of the connector with the same result.??


From corentin.dupont at gmail.com  Tue Mar  5 05:12:09 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 5 Mar 2019 11:12:09 +0100
Subject: [keycloak-user] Google + service shutdown
Message-ID: <CAEyhvmqeavV8ifBRgTV46eQTu5eVCG2wdK2Ap=mAfnVgwR+otw@mail.gmail.com>

Hi guys,
is there any action I need to take regarding Google + shutdown?
https://developers.google.com/+/api-shutdown

I use Keycloak 4.4.0.Final.
Google sends me regular email telling I'm using the soon deprecated API
function plus.people.getOpenIdConnect.

Thanks
Corentin

From marco.vecchietti at telecomitalia.it  Tue Mar  5 06:30:38 2019
From: marco.vecchietti at telecomitalia.it (Vecchietti Marco)
Date: Tue, 5 Mar 2019 11:30:38 +0000
Subject: [keycloak-user] Set user temporary password
Message-ID: <1551785439718.4397@telecomitalia.it>

Hi everyone,
I am using the keycloak API to configure the first (temporary) password of a new user.
My wish is to enter an encrypted password. The CredentialRepresentation data structure has various hash fields. Is it possible to do this?
Should I use the same hash rules used by keycloak to save passwrods in the db??


Thanks for you help!?


Marco

Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie. 

This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks. 

Rispetta l'ambiente. Non stampare questa mail se non ? necessario.

From eduard.matuszak at worldline.com  Tue Mar  5 08:04:06 2019
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 5 Mar 2019 13:04:06 +0000
Subject: [keycloak-user] keycloak customization in docker without
	CURL-admin-calls
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D73DCE0FD1@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

We want to migrate our platform to docker. Up to now we have a lot of Keycloak configuration statements running as CURL-subscripts for creation and customization of  our relams in our rpm-package. The question is, how - if ever possible - we might overcome using the admin-REST-API for customization in a reasonable way. To my understanding keycloak-admin-cli does not cover all possibilities the admin-REST-API provides and on the other hand importing realms from an exported prototype-keycloak also does not really seem to be a smart solution. Do you have any idea or hint?

Best reagards, Eduard Matuszak


Eduard Matuszak

Worldline, an atos company
T  +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak at worldline.com<mailto:eduard.matuszak at atos.net>
Max-Stromeyer-Stra?e 116
78467 Konstanz
Germany
worldline.com<http://worldline.com/de/1/Home.html>


 <https://worldline.com/blog>    <https://worldline.com/twitter>    <https://worldline.com/linkedin>    <https://worldline.com/facebook>    <https://worldline.com/youtube>

Worldline Germany GmbH
Gesch?ftsf?hrerin: Susanne Denker
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 98 826


* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *



-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 1.jpg
Type: image/jpeg
Size: 1178 bytes
Desc: Picture (Device Independent Bitmap) 1.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0007.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 2.jpg
Type: image/jpeg
Size: 2158 bytes
Desc: Picture (Device Independent Bitmap) 2.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0008.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 3.jpg
Type: image/jpeg
Size: 1066 bytes
Desc: Picture (Device Independent Bitmap) 3.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0009.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 4.jpg
Type: image/jpeg
Size: 1039 bytes
Desc: Picture (Device Independent Bitmap) 4.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0010.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 5.jpg
Type: image/jpeg
Size: 1050 bytes
Desc: Picture (Device Independent Bitmap) 5.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0011.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 6.jpg
Type: image/jpeg
Size: 1006 bytes
Desc: Picture (Device Independent Bitmap) 6.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0012.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 7.jpg
Type: image/jpeg
Size: 1044 bytes
Desc: Picture (Device Independent Bitmap) 7.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190305/811ebf04/attachment-0013.jpg 

From corentin.dupont at gmail.com  Tue Mar  5 08:25:54 2019
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 5 Mar 2019 14:25:54 +0100
Subject: [keycloak-user] Google + service shutdown
In-Reply-To: <VI1PR0201MB225648DBF16849EE8E4574B6AC720@VI1PR0201MB2256.eurprd02.prod.outlook.com>
References: <CAEyhvmqeavV8ifBRgTV46eQTu5eVCG2wdK2Ap=mAfnVgwR+otw@mail.gmail.com>
	<VI1PR0201MB225648DBF16849EE8E4574B6AC720@VI1PR0201MB2256.eurprd02.prod.outlook.com>
Message-ID: <CAEyhvmqqLdkf2yObDD=7sT8fxgG_Ah44nsXcFbw_xWxGSEEiNQ@mail.gmail.com>

Hi Marc,
I followed the tutorial at this page:
https://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/social/google.html

My application doesn't talk to G+ API directly. I do everything through
Keycloak.
Does that mean that I will not be able to use the Google Identity provider
on Keycloak? Will this service be removed from new Keycloak versions?

On Tue, Mar 5, 2019 at 1:06 PM <Markus.Keller1 at swisscom.com> wrote:

> Hi Corentin
>
> Google will shut down the public version of G+. The business version for
> companies will still be available. It looks like the API you use is for the
> public version only. Do you connect via
> https://www.googleapis.com/plus/v1/people/me/openIdConnect ?
>
> In that case they will shut down the API at least in April 2019 and you
> cannot use it any longer.
>
> Markus
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> Im Auftrag von Corentin Dupont
> Gesendet: Dienstag, 5. M?rz 2019 11:12
> An: keycloak-user <keycloak-user at lists.jboss.org>
> Betreff: [keycloak-user] Google + service shutdown
>
> Hi guys,
> is there any action I need to take regarding Google + shutdown?
> https://developers.google.com/+/api-shutdown
>
> I use Keycloak 4.4.0.Final.
> Google sends me regular email telling I'm using the soon deprecated API
> function plus.people.getOpenIdConnect.
>
> Thanks
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mehdi.chaabouni at gmail.com  Tue Mar  5 09:26:23 2019
From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi)
Date: Tue, 5 Mar 2019 09:26:23 -0500
Subject: [keycloak-user] Users losing their roles for no apparent reason
Message-ID: <CAOiPCSFkStZX1tkRaGnSQi9EVuTZdDkUJZomaJC0njETCkedZQ@mail.gmail.com>

Hi,

This is our Keycloak setup:

   - Keycloak docker container 4.4.0.Final
   - Azure Active Directory (mapping groups to roles)
   - Keycloak client protocol: openid-connect
   - 3 optional client scopes

We have one back-end application (spring-boot) and one front-end
application (angular).
We noticed lately that users using the front-end started losing their roles
for no apparent reason. I still can't figure out when it happens.
The only roles (authorities) left are offline_access and uma_authorization.
Deleting the user from Keycloak fixes the problem after reloading the
front-end but eventually the roles disappear again after a while.
Upgrading to the latest version of Keycloak didn't help.

Any ideas?

Thank you!

From David.Erie at datapath.com  Tue Mar  5 09:30:25 2019
From: David.Erie at datapath.com (David Erie (US))
Date: Tue, 5 Mar 2019 14:30:25 +0000
Subject: [keycloak-user] Fine Graned user permission in Admin console
Message-ID: <SN6PR17MB21125567F7B84868757C0A34E3720@SN6PR17MB2112.namprd17.prod.outlook.com>

For the record, we have a similar requirement for which we'd like to use fine grained permissions in the admin app. So we were wondering the same thing about when it will become fully supported, etc.

Thanks,
Dave
===============================
Hello everyone,

we will be using fine grained user permissions in admin console in our application. The motivation is simple: customers will be managing their realms directly in Keycloak and we want to make sure that they will not jailbreak (assign higher privileges than they currently have).

We have noticed that this feature is in preview, even though it seems that is in Keycloak from version 3.2.0 (https://issues.jboss.org/browse/KEYCLOAK-3444).

We would like to ask if there are any plans to make it "official"/default part of installation. Or if there are some plans to change the functionality in upcoming versions (so we do not base our solution on this feature only to be discontinued in next version of Keycloak).

Thanks very much for any info.

Regards,

Pavel


From hylton.peimer at datos-health.com  Tue Mar  5 12:02:47 2019
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Tue, 5 Mar 2019 19:02:47 +0200
Subject: [keycloak-user] Springboot adaptor issue with browser bookmark
Message-ID: <CACGrZesC0rF8qNBwT2g23yCSyEUNvKcJ7R-FdTg14k6GBhK=qQ@mail.gmail.com>

We have a SpringBoot application secured by Keycloak using the
KeycloakWebSecurityConfigurerAdapter.

When the Keycloak login page is reached the URL contains a query string
with "state" and "session_state".

Some of our users bookmark this login page in their browser, which stores
the query string (including state & session_state).

When they return to the page using the bookmark, they get an error.

How can I avoid this situation?

Or if there is no way, does it make sense to catch the error and redirect
the user to the correct page without the problematic query string?

From robert.smol at stereoit.com  Tue Mar  5 13:08:42 2019
From: robert.smol at stereoit.com (Robert Smol)
Date: Tue, 5 Mar 2019 19:08:42 +0100
Subject: [keycloak-user] How to migrate passwords
Message-ID: <CAOz-6quq7YTi-Pfg-1nVRBv6cG7LxWfvpVM2jYxtuN_sNC47Vg@mail.gmail.com>

Hi,

I am trying to follow chapter 11.9 in server development to migrate users
from existing database to Keycloak. I've implemented UserStorageProvider
and CredentialInputValidator and unlinked the user in isValid method.

However I am not sure, how to transfer the credential to keycloak. In our
local database we have only hashes, so the only moment we have access to
the password is again only in isValid.

Is this the right method to transfer password and how do I set it on the
UserModel?

Regards,

Robert Smol

From mizuki0621 at gmail.com  Tue Mar  5 13:43:37 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Tue, 5 Mar 2019 13:43:37 -0500
Subject: [keycloak-user] Authentication failed: org.jvnet.libpam.PAMException
Message-ID: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>

Hi,

We are currently evaluating keycloak as a possible authentication mechanism
deployed to our facility.
We use kerberos for user authentication with FreeIPA and configured sssd
for user federation in keycloak (follow the official document both from
keycloak and freeipa.org)
One of the requirement we desire is to enable kerboros password for SSH
login and enabled 'otp' for HTTP based applications.

To do so,
1. We enabled both user-auth-types for the user:
- password
- password + otp

2. Created HBAC rules in IPA, allowing keycloak server access for following
services: (I purposely did not enable 'otp' at this point as I want to
verify both 'password' and 'otp' shall work)
- keycloak
- sshd

3. Confimred sshd worked with both 'password' and 'otp' types via PAM/SSSD,
then I went ahead and accessed URL that is protected by keycloak,
'password' works but 'otp' won't, the following ERRORs were seen in
keycloak's server.log:
-----------
019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
redirect_uri=https://www.example.com/secure/
<https://vproxytest03.racf.bnl.gov/secure/>*,
code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
2019-03-04 17:01:43,033 ERROR
[org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
failed : Permission denied
    at org.jvnet.libpam.PAM.check(PAM.java:113)
    at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
    at
org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)

    at
org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)

    at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)

    at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)

    at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)

    at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)

    at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)

    at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)

    at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)

    at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)

    at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)

    at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)

    at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)

    at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)

    at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)

    at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)

    at java.lang.reflect.Method.invoke(Method.java:508)
    at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)

    at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)

    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)

    at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)

    at
org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
Source)
    at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)

    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)

    at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)

    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)

    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)

    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)

    at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)

    at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
Source)
    at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)

    at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
Source)
    at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)

    at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)

    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)

    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)

    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
    at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

    at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

    at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)

    at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

    at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

    at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

    at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

    at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

    at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

    at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

    at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

    at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

    at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

    at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

    at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
Source)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

    at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

    at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

    at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
    at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
    at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

    at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

    at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

    at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

    at java.lang.Thread.run(Thread.java:812)
------------------

Interesting thing is keycloak handles OTP just fine if I have
'password+otp' only checked on,  then we won't be able to log onto the
machines via SSH using password, that defeats our purposes.

I tested different version of JAVA and the latest keycloak (4.8.3) version
(on REHL 7), all got the same results.
I'm wondering if this is more likely a bug or I missed something.
I'd appreciate if someone can advice what the approach is.

Thank you very much.

Mizuki

From Pavel.Micka at zoomint.com  Tue Mar  5 15:47:14 2019
From: Pavel.Micka at zoomint.com (Pavel Micka)
Date: Tue, 5 Mar 2019 20:47:14 +0000
Subject: [keycloak-user] Remove permission to manage realm (but keep
	managing roles)
Message-ID: <390c35e863144c39b9cb4fb0bd1d99c0@zoomint.com>

Hi,


Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)?


If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)...


Thanks for help,


Pavel

From umair.chagani at gmail.com  Wed Mar  6 00:28:06 2019
From: umair.chagani at gmail.com (u c)
Date: Wed, 6 Mar 2019 00:28:06 -0500
Subject: [keycloak-user] Error when using https
Message-ID: <CACXPJ3t3S-5LUri1uFafMVV7QoZr44PSabY=TrPUxOPsoGRsHg@mail.gmail.com>

I have the below keycloak-gatekeeper config that works fine.  However when
I switch "discovery-url" to my https domain:

"discovery-url: https://sso.mydomain.live/auth/realms/myrealm"

I get the following error after I login with keycloak-gatekeeper

"unable to exchange code for access token {"error": "mime: no media type"}"

The discovery URL is the only thing I am changing.  When I go to "
https://sso.mydomain.live/auth/realms/myrelam/.well-known/openid-configuration"
I can see all the same information that I see when i go to "
http://192.168.1.164:8080/auth/realms/myrealm/.well-known/openid-configuration
"

Anyone have any clues as to why this isn't working?

keycloak-gatekeeper config:

discovery-url: http://192.168.1.164:8080/auth/realms/myrealm
client-id: my-client
client-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
listen: 0.0.0.0:3001
redirection-url: https://test.mydomain.live
upstream-url: http://192.168.1.162:8123
encryption-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable-authorization-header: true
enable-authorization-cookies: true
verbose: true
enable-logging: true
enable-https-redirection: true
secure-cookie: true
enable-encrypted-token: true
enable-token-header: false
enable-refresh-tokens: true
preserve-host: true
enable-security-filter: true
resources:
  - uri: /*

From vramik at redhat.com  Wed Mar  6 03:45:06 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 6 Mar 2019 09:45:06 +0100
Subject: [keycloak-user] Database backend issue
In-Reply-To: <683306387.8457822.1551731986054@mail.yahoo.com>
References: <683306387.8457822.1551731986054.ref@mail.yahoo.com>
	<683306387.8457822.1551731986054@mail.yahoo.com>
Message-ID: <ce5e9ec2-aa95-2f40-84c8-f472b796a394@redhat.com>

Hello Andrew,

we use MariaDB 10.1.x for keycloak, can you try it?

V.

On 3/4/19 9:39 PM, Andrew Meyer wrote:
> Hello,
> I am trying to setup Keycloak on CentOS 7 (latest).? This is a standalone machine.
>
> My remote MariaDB server is running 10.2.x latest.
>
> I was trying to run Keycloak latest with mysql-java-connector-5.1.46 and got the following results:
> Caused by: java.lang.RuntimeException: Failed to connect to database? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:381)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154)? ? ? ? ... 31 moreCaused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException]? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)? ? ? ? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:374)? ? ? ? ... 43 more
>
> I have tried using newer versions of the connector with the same result.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From vramik at redhat.com  Wed Mar  6 03:53:32 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 6 Mar 2019 09:53:32 +0100
Subject: [keycloak-user] Remove permission to manage realm (but keep
 managing roles)
In-Reply-To: <390c35e863144c39b9cb4fb0bd1d99c0@zoomint.com>
References: <390c35e863144c39b9cb4fb0bd1d99c0@zoomint.com>
Message-ID: <9eb02651-9376-3534-f7e3-f97eaa264433@redhat.com>

Hey Pavel,

it seems you need role based access control, there is link [1] where 
Fine grain permissions described, it may help you.

[1]

V.

On 3/5/19 9:47 PM, Pavel Micka wrote:
> Hi,
>
>
> Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)?
>
>
> If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)...
>
>
> Thanks for help,
>
>
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Wed Mar  6 03:59:52 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 6 Mar 2019 09:59:52 +0100
Subject: [keycloak-user] Remove permission to manage realm (but keep
 managing roles)
In-Reply-To: <9eb02651-9376-3534-f7e3-f97eaa264433@redhat.com>
References: <390c35e863144c39b9cb4fb0bd1d99c0@zoomint.com>
	<9eb02651-9376-3534-f7e3-f97eaa264433@redhat.com>
Message-ID: <be7e4776-7c4b-d5e5-be8e-97eb7215cf01@redhat.com>

... and there is the link: 
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

On 3/6/19 9:53 AM, Vlasta Ramik wrote:
> Hey Pavel,
>
> it seems you need role based access control, there is link [1] where
> Fine grain permissions described, it may help you.
>
> [1]
>
> V.
>
> On 3/5/19 9:47 PM, Pavel Micka wrote:
>> Hi,
>>
>>
>> Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)?
>>
>>
>> If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)...
>>
>>
>> Thanks for help,
>>
>>
>> Pavel
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Pavel.Micka at zoomint.com  Wed Mar  6 04:48:35 2019
From: Pavel.Micka at zoomint.com (Pavel Micka)
Date: Wed, 6 Mar 2019 09:48:35 +0000
Subject: [keycloak-user] Remove permission to manage realm (but keep
 managing roles)
In-Reply-To: <be7e4776-7c4b-d5e5-be8e-97eb7215cf01@redhat.com>
References: <390c35e863144c39b9cb4fb0bd1d99c0@zoomint.com>
	<9eb02651-9376-3534-f7e3-f97eaa264433@redhat.com>
	<be7e4776-7c4b-d5e5-be8e-97eb7215cf01@redhat.com>
Message-ID: <e190f37c343f407d83e1a9e3489545c9@zoomint.com>

Hi,

I tried that yesterday. The issue with fine grained permissions is that is an alpha feature... and we have not been able to make it fully working with role -> user assignments. 
I had there policy to allow assignment once the time is > 2020-01-01, but the assignments (role->user) were granted successfuly. On the other hand the same policy worked flawlesly for assigments of roles to composite roles (forbidden). So I suppose that this alpha feature still has some glitches...

Also as the fine grained permissions are extension to the standard permissions in Keycloak, so they can be used only to restrict the existing (top level) permissions. 
But afaik there is no fine grained permission for realm settings (https://www.keycloak.org/docs/latest/server_admin/index.html#full-list-of-permissions), hence you can't grant realm_settings + roles on the top level and use fine grained permission to narrow the permissions to roles only.

Best regards,

Pavel


-----Original Message-----
From: Vlasta Ramik <vramik at redhat.com> 
Sent: Wednesday, March 6, 2019 10:00 AM
To: Pavel Micka <Pavel.Micka at zoomint.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Remove permission to manage realm (but keep managing roles)

... and there is the link: 
https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

On 3/6/19 9:53 AM, Vlasta Ramik wrote:
> Hey Pavel,
>
> it seems you need role based access control, there is link [1] where 
> Fine grain permissions described, it may help you.
>
> [1]
>
> V.
>
> On 3/5/19 9:47 PM, Pavel Micka wrote:
>> Hi,
>>
>>
>> Is it somehow possible to remove from user the permission to manage realm itself (example: client registration, tokens) but keep for the user role management in place (so he can create composite roles)?
>>
>>
>> If it is possible with fine grained permissions, can you please send me howto, because I am unable to set it up (using docs)...
>>
>>
>> Thanks for help,
>>
>>
>> Pavel
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From victor at dvelp.co.uk  Wed Mar  6 08:57:38 2019
From: victor at dvelp.co.uk (Victor Alejo)
Date: Wed, 6 Mar 2019 14:57:38 +0100
Subject: [keycloak-user] Fwd: keycloak - Twilio integration
In-Reply-To: <mailman.95171.1551874176.4713.keycloak-user@lists.jboss.org>
References: <mailman.95171.1551874176.4713.keycloak-user@lists.jboss.org>
Message-ID: <CALLjEAeRA6Xhg1ub=tZ4RwgVt0ELpuef_DBwmc5JtTaKQCN6YA@mail.gmail.com>

Hi,

first, thank yoou in advance for reading this question, and sorry if this
is not the appropiate channel, is the only link I have seen.

We would like to use keycloak as our authentication SSO with Twilio Flex.
We alredy have a realm set up and we are now in the configuration.

Basically we have everything but the issuer ID.

Certificate: OK
SSO URL: OK
https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml
*Identity Provider Issuer:  We tried everything but we get "unknown login
requester".*

*Url: http://sso.develop.stentle.com <http://sso.develop.stentle.com>*
*realm:  customer-support*

Any help will be appreciated.
Please let us know if you need any other information.

Thank you very much

Regards

From triton.oidc at gmail.com  Wed Mar  6 11:49:09 2019
From: triton.oidc at gmail.com (triton oidc)
Date: Wed, 6 Mar 2019 16:49:09 +0000
Subject: [keycloak-user] Token exchange cross realm
Message-ID: <CAGE7c6BaTb19MrEGiet_jvuTVZ10mQkPsDcFAZrt2A=RMpW=Bg@mail.gmail.com>

Hi Keycloak masters

I've done the token exchange in the same realm,
here is a link with my scenario
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQIGFzIElEUAAdEDIgYXMgMgoKbm90ZSBvdmVyIFU6VGhlIHUAWQVuZCBhbGwgdGhlIGFwcCBhcmUgaW4ACgVzYW1lIHJlYWxtADALMTp0aGlzIEFwcCBpcyBPSURDIHByb3RlY3RlZApVLT4xOgCBMAVnb2VzIHRvAFAHIHdpdGggYQCBcAdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBSFndhbnQgdG8gZG8gYSBjYWxsIG8AgRsGYXBwMlxub24gYmVoYWxmIG9mAIFCBXVzZXIKMS0-SURQOnJlcXVlc3QAgmEQAH4FQVBQMSB0bwCBRwUyXG51c2luZwCCDwYAgxoFLACCNgZjbGllbnRJRACCJQUAgnYFY3JlZGVudGlhbHMKSURQLS0-MTpyZXR1cm4gYWNjZXNzAIFgCG9yAIJ6BQoxLT4yOmJhY2tlbmQAgTsGAGYGACIMAIMTCzI6T3B0aW9ubmFsCjIAgUEGZ2V0dXNlcmluZm8AKRMsXG4AgzcIaXMgc3VyZQCBfwwncyBpAIErBXR5AIFdCElEUCdzIHRydXN0AIE7BzIAgToIAF8LCjIAgU8MAIE0DAoxLS0-VQCBbQgKCg&s=rose

I'm trying to do the same cross realm following this documentation
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange

Here is a link to my draft
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgQ3Jvc3MgcmVhbG0gRHJhZnQgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQABEFSURQAAgRMgASBzIAOBAAFAUyCgpub3RlIG92ZXIgVTpUaGUgdQB0BW5kIGFsbCB0aGUgYQBvBXJlIGluAAsFc2FtZQCBPQYAMQsxOnRoaXMgQXBwIGlzIE9JREMgcHJvdGVjdGVkClUtPjE6AIFMBWdvZXMgdG8AUQcgd2l0aCBJRABqBUFjY2VzcwCCKgdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBeFndhbnQgdG8gZG8gYSBjYWxsIG8AgScGYXBwMlxub24gYmVoYWxmIG9mAIFPBXVzZXIKMS0-SURQMjpyZXF1ZXN0AIMcEACAfwVBUFAxIHRvAIJFBVxudXNpbmcAghwGAINUBQpJRFAyLS0-MTpyZXR1cm4gYQCBOA1vcgCCdAYxLT4yOmJhY2tlbmQAgRgGAEMGACIMAIJ9CzI6T3B0aW9ubmFsCjIAgR0HZ2V0dXNlcmluZm8AKhMsXG4AgyMHIGlzIHN1cmUAgV0MJ3MgaWRlbnRpdHkAgTsISURQJ3MgdHJ1c3QAgTwIMgCBPAgAYAsKAIFQDQCBNgwKMS0tPlUAgW8ICgo&s=rose

However i don't know which client credentials put in the query.
my app only knows it's own credentials (*app1_clientID* and
*app1_clientSecret*)
and wants to get an access token on the Realm2 (R2) on the clientID "
*secured_R2*"
The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
The alias of the broker is "*R2_for_R1_users*"

curl -X POST \
    -d "client_id=*app1_clientID*" \
    -d "client_secret=*app1_clientSecret*" \
    --data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
    -d "subject_token="*my_token_obtained_using_app1_clientID*" \
    -d "subject_issuer=*R2_for_R1_users*" \
    --data-urlencode
"subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
    -d "audience=*secured_R2*" \
    http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token

I got an invalid credentials, which makes sense because the IDP2 can't
verify the credentials of the App1 linked to the realm1 (IDP1)
I know i missed something.
If someone could give me a hint

Once i understand, i'm willing to propose an update on the documentation

Thanks for any help

Amaury

From sblanc at redhat.com  Thu Mar  7 01:47:52 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 7 Mar 2019 07:47:52 +0100
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965628D072B161179C49CAE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
Message-ID: <CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>

Hi,

How do you generate your initial token ?
>From the logs looks like it's already expired when you send it to the
Gatekeeper.

On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri
<ronald.demneri at amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri at amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri at amdtia.com>; keycloak-user at lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
>
> In the logs I receive the following upon a successful login:
>
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ronald.demneri at amdtia.com  Thu Mar  7 03:10:08 2019
From: ronald.demneri at amdtia.com (Ronald Demneri)
Date: Thu, 7 Mar 2019 08:10:08 +0000
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965628D072B161179C49CAE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>
Message-ID: <VI1PR0402MB369667CD100BE888CFCAC0BCE94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>

Hi Sebastien,

I try to login to the app, I get redirected to Keycloak where I am authenticated and then I receive the error in the Gatekeeper console. Of course, the redirection back to the app is not working. And the fact that the token is already expired is making me scratch my head and the reason why I posted to the userlist.


If you need some more information to help me troubleshoot and hopefully resolve it, please let me know.


Thanks in advance,
Ronald

-----Original Message-----
From: Sebastien Blanc <sblanc at redhat.com> 
Sent: 07.Mar.2019 7:48 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Hi,

How do you generate your initial token ?
>From the logs looks like it's already expired when you send it to the Gatekeeper.

On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
>
> Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
>
>
> Regards,
> Ronald
>
> -----Original Message-----
> From: Ronald Demneri <ronald.demneri at amdtia.com>
> Sent: 15.Feb.2019 1:59 PM
> To: Ronald Demneri <ronald.demneri at amdtia.com>; 
> keycloak-user at lists.jboss.org
> Subject: RE: Keycloak gatekeeper issue
>
> I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org 
> <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> Sent: 15.Feb.2019 1:41 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Keycloak gatekeeper issue
>
> Hi all,
>
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
>
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
>
> The config file is as follows:
>
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
>
> In the logs I receive the following upon a successful login:
>
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> /middleware.go:108","msg":"no session found in request, redirecting 
> for authorization","error":"authentication session not found"} 
> {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> middleware.go:90","msg":"client 
> request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
> 53.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> /handlers.go:88","msg":"incoming authorization request from client 
> address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> nt_ip":"10.253.6.24:60575"} 
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client 
> request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> /handlers.go:152","msg":"unable to verify the id token","error":"the 
> access token has expired"} 
> {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client 
> request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
> 3.6.24:60575","method":"GET","path":"/oauth/callback"}
>
> And of course, I am not redirected back to the requested URL.
>
> I have configured the gatekeeper as a confidential client in Keycloak, 
> and have added the redirect_uri http://gatekeeper:80/oauth/callback
>
> Any hints?
>
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Thu Mar  7 03:36:50 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 7 Mar 2019 09:36:50 +0100
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <VI1PR0402MB369667CD100BE888CFCAC0BCE94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965628D072B161179C49CAE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>
	<VI1PR0402MB369667CD100BE888CFCAC0BCE94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
Message-ID: <CAMZCGg-vn_f-TUYH7jeWoTKmcenqDU6yvrw3vCVkfgbGB60H9A@mail.gmail.com>

Ok,
Sorry for asking maybe a stupid question but could it be that your KC
server and the gatekeeper have a time difference ?

On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
>
> Hi Sebastien,
>
> I try to login to the app, I get redirected to Keycloak where I am authenticated and then I receive the error in the Gatekeeper console. Of course, the redirection back to the app is not working. And the fact that the token is already expired is making me scratch my head and the reason why I posted to the userlist.
>
>
> If you need some more information to help me troubleshoot and hopefully resolve it, please let me know.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: Sebastien Blanc <sblanc at redhat.com>
> Sent: 07.Mar.2019 7:48 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
>
> Hi,
>
> How do you generate your initial token ?
> From the logs looks like it's already expired when you send it to the Gatekeeper.
>
> On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
> >
> > Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
> >
> >
> > Regards,
> > Ronald
> >
> > -----Original Message-----
> > From: Ronald Demneri <ronald.demneri at amdtia.com>
> > Sent: 15.Feb.2019 1:59 PM
> > To: Ronald Demneri <ronald.demneri at amdtia.com>;
> > keycloak-user at lists.jboss.org
> > Subject: RE: Keycloak gatekeeper issue
> >
> > I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
> >
> >
> > Thanks in advance,
> > Ronald
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org
> > <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> > Sent: 15.Feb.2019 1:41 PM
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Keycloak gatekeeper issue
> >
> > Hi all,
> >
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> >
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> >
> > The config file is as follows:
> >
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> >
> > In the logs I receive the following upon a successful login:
> >
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> > /middleware.go:108","msg":"no session found in request, redirecting
> > for authorization","error":"authentication session not found"}
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> > middleware.go:90","msg":"client
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
> > 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> > /handlers.go:88","msg":"incoming authorization request from client
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> > nt_ip":"10.253.6.24:60575"}
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> > /handlers.go:152","msg":"unable to verify the id token","error":"the
> > access token has expired"}
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
> > 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> >
> > And of course, I am not redirected back to the requested URL.
> >
> > I have configured the gatekeeper as a confidential client in Keycloak,
> > and have added the redirect_uri http://gatekeeper:80/oauth/callback
> >
> > Any hints?
> >
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user


From ronald.demneri at amdtia.com  Thu Mar  7 03:38:43 2019
From: ronald.demneri at amdtia.com (Ronald Demneri)
Date: Thu, 7 Mar 2019 08:38:43 +0000
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <CAMZCGg-vn_f-TUYH7jeWoTKmcenqDU6yvrw3vCVkfgbGB60H9A@mail.gmail.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965628D072B161179C49CAE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>
	<VI1PR0402MB369667CD100BE888CFCAC0BCE94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg-vn_f-TUYH7jeWoTKmcenqDU6yvrw3vCVkfgbGB60H9A@mail.gmail.com>
Message-ID: <VI1PR0402MB36963FD4E4B8C65EA9E81FA9E94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>

Well, I am not sure in fact, need to check, but both vm's are running on Azure, so probably not. I'll post back as soon as possible.


Thanks,
Ronald

-----Original Message-----
From: Sebastien Blanc <sblanc at redhat.com> 
Sent: 07.Mar.2019 9:37 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Ok,
Sorry for asking maybe a stupid question but could it be that your KC server and the gatekeeper have a time difference ?

On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
>
> Hi Sebastien,
>
> I try to login to the app, I get redirected to Keycloak where I am authenticated and then I receive the error in the Gatekeeper console. Of course, the redirection back to the app is not working. And the fact that the token is already expired is making me scratch my head and the reason why I posted to the userlist.
>
>
> If you need some more information to help me troubleshoot and hopefully resolve it, please let me know.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: Sebastien Blanc <sblanc at redhat.com>
> Sent: 07.Mar.2019 7:48 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
>
> Hi,
>
> How do you generate your initial token ?
> From the logs looks like it's already expired when you send it to the Gatekeeper.
>
> On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
> >
> > Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
> >
> >
> > Regards,
> > Ronald
> >
> > -----Original Message-----
> > From: Ronald Demneri <ronald.demneri at amdtia.com>
> > Sent: 15.Feb.2019 1:59 PM
> > To: Ronald Demneri <ronald.demneri at amdtia.com>; 
> > keycloak-user at lists.jboss.org
> > Subject: RE: Keycloak gatekeeper issue
> >
> > I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
> >
> >
> > Thanks in advance,
> > Ronald
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org
> > <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> > Sent: 15.Feb.2019 1:41 PM
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Keycloak gatekeeper issue
> >
> > Hi all,
> >
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> >
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> >
> > The config file is as follows:
> >
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> >
> > In the logs I receive the following upon a successful login:
> >
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> > er /middleware.go:108","msg":"no session found in request, 
> > redirecting for authorization","error":"authentication session not 
> > found"} 
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> > r/
> > middleware.go:90","msg":"client
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> > .2 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> > er /handlers.go:88","msg":"incoming authorization request from 
> > client 
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> > as 
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> > tt 
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> > e=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> > openid+email+ie
> > nt_ip":"10.253.6.24:60575"}
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> > er /handlers.go:152","msg":"unable to verify the id 
> > token","error":"the access token has expired"} 
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> > 25 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> >
> > And of course, I am not redirected back to the requested URL.
> >
> > I have configured the gatekeeper as a confidential client in 
> > Keycloak, and have added the redirect_uri 
> > http://gatekeeper:80/oauth/callback
> >
> > Any hints?
> >
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user


From ronald.demneri at amdtia.com  Thu Mar  7 03:50:08 2019
From: ronald.demneri at amdtia.com (Ronald Demneri)
Date: Thu, 7 Mar 2019 08:50:08 +0000
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <VI1PR0402MB36963FD4E4B8C65EA9E81FA9E94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965628D072B161179C49CAE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<VI1PR0402MB36965F7C38964266F75A85BEE9630@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg8Ytef00YKQEbUnKRS9mw+DQPvhTR2tK1Hgt0-7=7NwSQ@mail.gmail.com>
	<VI1PR0402MB369667CD100BE888CFCAC0BCE94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<CAMZCGg-vn_f-TUYH7jeWoTKmcenqDU6yvrw3vCVkfgbGB60H9A@mail.gmail.com>
	<VI1PR0402MB36963FD4E4B8C65EA9E81FA9E94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>
Message-ID: <VI1PR0402MB36963FD612600577699F25D7E94C0@VI1PR0402MB3696.eurprd04.prod.outlook.com>

Hi Sebastien,

The servers are in sync.


Regards,
Ronald

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
Sent: 07.Mar.2019 9:39 AM
To: Sebastien Blanc <sblanc at redhat.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Well, I am not sure in fact, need to check, but both vm's are running on Azure, so probably not. I'll post back as soon as possible.


Thanks,
Ronald

-----Original Message-----
From: Sebastien Blanc <sblanc at redhat.com>
Sent: 07.Mar.2019 9:37 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Ok,
Sorry for asking maybe a stupid question but could it be that your KC server and the gatekeeper have a time difference ?

On Thu, Mar 7, 2019 at 9:10 AM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
>
> Hi Sebastien,
>
> I try to login to the app, I get redirected to Keycloak where I am authenticated and then I receive the error in the Gatekeeper console. Of course, the redirection back to the app is not working. And the fact that the token is already expired is making me scratch my head and the reason why I posted to the userlist.
>
>
> If you need some more information to help me troubleshoot and hopefully resolve it, please let me know.
>
>
> Thanks in advance,
> Ronald
>
> -----Original Message-----
> From: Sebastien Blanc <sblanc at redhat.com>
> Sent: 07.Mar.2019 7:48 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
>
> Hi,
>
> How do you generate your initial token ?
> From the logs looks like it's already expired when you send it to the Gatekeeper.
>
> On Mon, Feb 18, 2019 at 7:48 PM Ronald Demneri <ronald.demneri at amdtia.com> wrote:
> >
> > Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment?
> >
> >
> > Regards,
> > Ronald
> >
> > -----Original Message-----
> > From: Ronald Demneri <ronald.demneri at amdtia.com>
> > Sent: 15.Feb.2019 1:59 PM
> > To: Ronald Demneri <ronald.demneri at amdtia.com>; 
> > keycloak-user at lists.jboss.org
> > Subject: RE: Keycloak gatekeeper issue
> >
> > I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak.
> >
> >
> > Thanks in advance,
> > Ronald
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org
> > <keycloak-user-bounces at lists.jboss.org> On Behalf Of Ronald Demneri
> > Sent: 15.Feb.2019 1:41 PM
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Keycloak gatekeeper issue
> >
> > Hi all,
> >
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> >
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> >
> > The config file is as follows:
> >
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> >
> > In the logs I receive the following upon a successful login:
> >
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> > er /middleware.go:108","msg":"no session found in request, 
> > redirecting for authorization","error":"authentication session not 
> > found"} 
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> > r/
> > middleware.go:90","msg":"client
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> > .2 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> > er /handlers.go:88","msg":"incoming authorization request from 
> > client 
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> > as
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> > tt
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> > e=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> > openid+email+ie
> > nt_ip":"10.253.6.24:60575"}
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> > er /handlers.go:152","msg":"unable to verify the id 
> > token","error":"the access token has expired"} 
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> > 25 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> >
> > And of course, I am not redirected back to the requested URL.
> >
> > I have configured the gatekeeper as a confidential client in 
> > Keycloak, and have added the redirect_uri 
> > http://gatekeeper:80/oauth/callback
> >
> > Any hints?
> >
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Thu Mar  7 04:03:16 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 7 Mar 2019 10:03:16 +0100
Subject: [keycloak-user] Moving container images to Quay (from Docker Hub)
Message-ID: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>

We are planning on moving our container images to Quay.io. The question is
do we also need to keep pushing to Docker Hub? If so why?

From thomas.darimont at googlemail.com  Thu Mar  7 04:07:08 2019
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 7 Mar 2019 10:07:08 +0100
Subject: [keycloak-user] [keycloak-dev] Moving container images to Quay
	(from Docker Hub)
In-Reply-To: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
Message-ID: <CAK-7U1h4Z5=7Sc_98mfPDfvGOJEoVQa6VqXyq5WU=aRae5yQ+w@mail.gmail.com>

What's the reason for moving to Quay?

Cheers,
Thomas

Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 7. M?rz 2019, 10:04:

> We are planning on moving our container images to Quay.io. The question is
> do we also need to keep pushing to Docker Hub? If so why?
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From sthorger at redhat.com  Thu Mar  7 06:12:36 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 7 Mar 2019 12:12:36 +0100
Subject: [keycloak-user] [keycloak-dev] Moving container images to Quay
	(from Docker Hub)
In-Reply-To: <CAK-7U1h4Z5=7Sc_98mfPDfvGOJEoVQa6VqXyq5WU=aRae5yQ+w@mail.gmail.com>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
	<CAK-7U1h4Z5=7Sc_98mfPDfvGOJEoVQa6VqXyq5WU=aRae5yQ+w@mail.gmail.com>
Message-ID: <CAJgngAcsfC79+8LhpTu9LXcjOs-gc9Cjf3qzE+_VCsk1dZjmsQ@mail.gmail.com>

Docker has gained too much ownership around containers. Red Hat is doing a
lot of investments around improving that to give people flexibility and
choices when it comes to containers. This includes Podman, Buildah and
Quay.io. That being said it is obviously still important for us that
container images are still available to those that choose to use Docker
tools, so we will make sure you still can docker run keycloak.

Any reason why not Quay?! ;)

On Thu, 7 Mar 2019 at 10:07, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> What's the reason for moving to Quay?
>
> Cheers,
> Thomas
>
> Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 7. M?rz 2019,
> 10:04:
>
>> We are planning on moving our container images to Quay.io. The question is
>> do we also need to keep pushing to Docker Hub? If so why?
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From sthorger at redhat.com  Thu Mar  7 06:14:42 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 7 Mar 2019 12:14:42 +0100
Subject: [keycloak-user] [keycloak-dev] Moving container images to Quay
	(from Docker Hub)
In-Reply-To: <CAJgngAcsfC79+8LhpTu9LXcjOs-gc9Cjf3qzE+_VCsk1dZjmsQ@mail.gmail.com>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
	<CAK-7U1h4Z5=7Sc_98mfPDfvGOJEoVQa6VqXyq5WU=aRae5yQ+w@mail.gmail.com>
	<CAJgngAcsfC79+8LhpTu9LXcjOs-gc9Cjf3qzE+_VCsk1dZjmsQ@mail.gmail.com>
Message-ID: <CAJgngAd7xWA_AsXHiOGoyKQ1bq0MCHZ_Yp=w78=1rt1Sqq1dOg@mail.gmail.com>

Right now the images are available both on Quay and Docker Hub. With
potentially removing Docker Hub in the future.

You can find the images in Quay here:
https://quay.io/organization/keycloak

In Quay it's keycloak/keycloak instead of jboss/keycloak as we do want to
get away from the false impression that Keycloak is only for Java stuff.

On Thu, 7 Mar 2019 at 12:12, Stian Thorgersen <sthorger at redhat.com> wrote:

> Docker has gained too much ownership around containers. Red Hat is doing a
> lot of investments around improving that to give people flexibility and
> choices when it comes to containers. This includes Podman, Buildah and
> Quay.io. That being said it is obviously still important for us that
> container images are still available to those that choose to use Docker
> tools, so we will make sure you still can docker run keycloak.
>
> Any reason why not Quay?! ;)
>
> On Thu, 7 Mar 2019 at 10:07, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> What's the reason for moving to Quay?
>>
>> Cheers,
>> Thomas
>>
>> Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 7. M?rz 2019,
>> 10:04:
>>
>>> We are planning on moving our container images to Quay.io. The question
>>> is
>>> do we also need to keep pushing to Docker Hub? If so why?
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>

From sthorger at redhat.com  Thu Mar  7 06:16:13 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 7 Mar 2019 12:16:13 +0100
Subject: [keycloak-user] [keycloak-dev] Moving container images to Quay
	(from Docker Hub)
In-Reply-To: <CAJgngAd7xWA_AsXHiOGoyKQ1bq0MCHZ_Yp=w78=1rt1Sqq1dOg@mail.gmail.com>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
	<CAK-7U1h4Z5=7Sc_98mfPDfvGOJEoVQa6VqXyq5WU=aRae5yQ+w@mail.gmail.com>
	<CAJgngAcsfC79+8LhpTu9LXcjOs-gc9Cjf3qzE+_VCsk1dZjmsQ@mail.gmail.com>
	<CAJgngAd7xWA_AsXHiOGoyKQ1bq0MCHZ_Yp=w78=1rt1Sqq1dOg@mail.gmail.com>
Message-ID: <CAJgngAc9rm9XNeoYnRoyCc=s0vP1qLUBOAktUDPv_p3w6X2k0A@mail.gmail.com>

>From my impression most distros already pull images from quay
automatically, so there shouldn't be any change for the user. For those few
that don't have distros where it pulls from quay the images can be pulled
with docker pull quay.io/keycloak/keycloak

On Thu, 7 Mar 2019 at 12:14, Stian Thorgersen <sthorger at redhat.com> wrote:

> Right now the images are available both on Quay and Docker Hub. With
> potentially removing Docker Hub in the future.
>
> You can find the images in Quay here:
> https://quay.io/organization/keycloak
>
> In Quay it's keycloak/keycloak instead of jboss/keycloak as we do want to
> get away from the false impression that Keycloak is only for Java stuff.
>
> On Thu, 7 Mar 2019 at 12:12, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> Docker has gained too much ownership around containers. Red Hat is doing
>> a lot of investments around improving that to give people flexibility and
>> choices when it comes to containers. This includes Podman, Buildah and
>> Quay.io. That being said it is obviously still important for us that
>> container images are still available to those that choose to use Docker
>> tools, so we will make sure you still can docker run keycloak.
>>
>> Any reason why not Quay?! ;)
>>
>> On Thu, 7 Mar 2019 at 10:07, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> What's the reason for moving to Quay?
>>>
>>> Cheers,
>>> Thomas
>>>
>>> Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 7. M?rz 2019,
>>> 10:04:
>>>
>>>> We are planning on moving our container images to Quay.io. The question
>>>> is
>>>> do we also need to keep pushing to Docker Hub? If so why?
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>

From triton.oidc at gmail.com  Thu Mar  7 07:25:05 2019
From: triton.oidc at gmail.com (triton oidc)
Date: Thu, 7 Mar 2019 12:25:05 +0000
Subject: [keycloak-user] redirect_uri in token exchange redirect
Message-ID: <CAGE7c6Ahnw8ih7Vep-ZE8VP_V1sxFsavbRg3XefN7mRB9HL=-w@mail.gmail.com>

Hi,

i did an account linking on two keycloak IDP
my keycloak 4.8.3 on the two server

When i do a token exchange, i get a
error_description":"identity provider is not linked, can only link to
current user session","account-link-url":"
https://iMyIDP1:9443/auth/realms/Realm/broker/A_for2/link?nonce=32cb2809-40a3-44ef-9554-cc3fe99a55fb&hash=2qFr-7xxOBY41Hotche3MjSYkEqeH_WGkkYxvej1GNc&client_id=1-secure
","error":"not_linked"

when i enter this url in a browser, i get an Invalid Request
When i look at the error log, i see :
type=TOKEN_EXCHANGE_ERROR, realmId=realm, clientId=realm-secure,
userId=null, ipAddress=172.18.56.212, error=invalid_request,
reason='requested_issuer has not linked', auth_method=token_exchange,
grant_type=urn:ietf:params:oauth:grant-type:token-exchange,
requested_issuer=1_for_2, client_auth_method=client-secret

type=CLIENT_INITIATED_ACCOUNT_LINKING_ERROR, realmId=R1,
clientId=R1-secure, userId=null, ipAddress=172.18.56.212,
error=invalid_redirect_uri

When i loot at the code :
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
line 213 the redirect_uri is mandatory, however it's not in the generated
link.
Is it a mistake, or did I missed something ?

Thanks for any help,

Amaury

From muratfair at gmail.com  Thu Mar  7 08:14:52 2019
From: muratfair at gmail.com (Murat Doner)
Date: Thu, 7 Mar 2019 14:14:52 +0100
Subject: [keycloak-user] Mixed Content error because of Keyloack default
	login redirection
Message-ID: <CAAqFQU3ws_GPVgnLhVB7LK6dd_ncTHqps4Yf7iY9vx17tfbKzg@mail.gmail.com>

Hello,

*INFORMATION NEEDED:*

I use Keycloak (Docker version) behind a Spring project.

(The client side of this project is React and communication between client
and backend is provided by REST services.)

The client side is secured and using "https" scheme.

It is my Spring configuration:

  keycloak:
     auth-server-url:
https://sso-ssoha.b9ad.pro-us-east-1.openshiftapps.com/auth
     realm: master
     resource: clientname
     public-client: true

*THE ROOT OF THE PROBLEM:*

When I click a link from client, it calls a Spring service normally. But
before that, it redirects to default login page of Keycloak with adding
this path *sso/login* to the current "https" url but changing scheme to
"http".

*But, redirecting from https to http create a problem like this:*

Mixed Content: The page at 'https://www.helpful.army/contents/Problem'
was loaded over HTTPS, but requested an insecure resource
'http://serviceha-helpfularmy.b9ad.pro-us-east-1.openshiftapps.com/sso/login'.
This request has been blocked; the content must be served over HTTPS.

Problem on StackOverFlow:
https://stackoverflow.com/questions/55044623/mixed-content-error-because-of-keyloack-default-login-redirection

From roxspring at imapmail.org  Thu Mar  7 08:17:00 2019
From: roxspring at imapmail.org (roxspring at imapmail.org)
Date: Thu, 7 Mar 2019 13:17:00 -0000
Subject: [keycloak-user] Listing the UMA resources accessible by a user
Message-ID: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>

Hi folks,

 

UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".

 

Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.

 

Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.

 

A.	Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B.	Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C.	Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.

a.	As above but with additional filtering by resource type to trim the
options.
b.	As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c.	As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)

D.	.?

 

I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?

 

Thanks,

 

Rob


From psilva at redhat.com  Thu Mar  7 08:35:30 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 7 Mar 2019 10:35:30 -0300
Subject: [keycloak-user] Listing the UMA resources accessible by a user
In-Reply-To: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>
References: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>
Message-ID: <CAJrcDBcu1pwnK8TsBmoXybOv9gssKD-+1dddOVSz2ia3XhBH3A@mail.gmail.com>

Hi,

We have an API that allows you to resources shared to a specific user if
the access was granted based on the standard UMA flow (using permission
tickets). The Keycloak AuthZ Java Client [1] provides access to this API.

[1]
https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java#L197


On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org> wrote:

> Hi folks,
>
>
>
> UMA seems to be a great solution to model fine grained permissions and
> allow
> scenarios such as "Alice shares Folder X with Bob".
>
>
>
> Keycloak seems to implement this well with APIs for the resource server to
> ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
> answers for both Alice and Bob based on some policy.
>
>
>
> Where I'm struggling is that our application also needs to provide answer
> "Given [User], which folders can they do [Scope] to?" and I'm not clear how
> best to achieve this with Keycloak.
>
>
>
> A.      Track which folders a user owns or can access and answer the
> question directly in the resource server, but that results in the resource
> server having a rigid model of the authorization rules and loses the
> benefits of Keycloak's flexible policies (or duplicates the policy which
> seems just as bad).
> B.      Have the resource server chose some subset of all folders and ask
> Keycloak to validate each resource, but that becomes very chatty and slow
> when there are 1000s of resources to validate.
> C.      Just ask Keycloak to validate all resources and just return those
> the user can access, but that's also potentially slow with 1000s of
> resources to validate and 100s accessible.
>
> a.      As above but with additional filtering by resource type to trim the
> options.
> b.      As above but with additional filtering by attributes (e.g. where
> property:owner = "Alice")
> c.      As above but with a full blown query language (e.g. "WHERE
> type=Folder AND (property:owner=Alice OR property:sharedwith contains
> Alice)
>
> D.      .?
>
>
>
> I was expecting some variant of C to be the recommended way forward but I
> can't find the relevant APIs (even without filtering). What's the best way
> to model such a (presumably common) scenario?
>
>
>
> Thanks,
>
>
>
> Rob
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From thomas.isaksen at toyota.no  Thu Mar  7 09:45:58 2019
From: thomas.isaksen at toyota.no (Konsulent Thomas Isaksen (TNO))
Date: Thu, 7 Mar 2019 14:45:58 +0000
Subject: [keycloak-user] keycloak Nginx TLS problem
Message-ID: <AM6PR06MB4168818B11FCD290E5B90DE1874C0@AM6PR06MB4168.eurprd06.prod.outlook.com>

Can anyone please help, I have spent all day searching for the answer but I'm not getting anywhere.

I am trying to configure Nginx as a reverse-proxy to Keycloak and I'm getting close, access to keycloak console and such via https is working just fine.
The problem is when I try to login to my app and return from the auth provider (azure)  I get a 403 forbidden and the following message in the application log:

2019-03-07 14:50:45,831 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) Adapter requires SSL. Request: http://local.toyota.no/workBenchWeb/zul/main.zul?state=c23babe7-6637-48fe-ab6d-1fd93d168e76&session_state=6dea7cb2-27a5-4e9a-9c90-000297d42528&code=304398e5-6fa7-435c-bd4c-a02899d4e412.6dea7cb2-27a5-4e9a-9c90-000297d42528.27a4bd04-e22e-4186-b8c8-cc0895ab429f

My keycloak.json:

{
  "realm": "TKS-TEST",
  "auth-server-url": "https://kct.toyota.no/auth",
  "ssl-required": "all",
  "resource": "tks-test-client",
  "public-client": true,
  "confidential-port": 443,
  "principal-attribute": "preferred_username"
}


./t


From roxspring at imapmail.org  Thu Mar  7 09:46:59 2019
From: roxspring at imapmail.org (roxspring at imapmail.org)
Date: Thu, 7 Mar 2019 14:46:59 -0000
Subject: [keycloak-user] Listing the UMA resources accessible by a user
In-Reply-To: <CAJrcDBcu1pwnK8TsBmoXybOv9gssKD-+1dddOVSz2ia3XhBH3A@mail.gmail.com>
References: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>
	<CAJrcDBcu1pwnK8TsBmoXybOv9gssKD-+1dddOVSz2ia3XhBH3A@mail.gmail.com>
Message-ID: <095301d4d4f4$9f4624b0$ddd26e10$@imapmail.org>

Thanks Pedro ? that gives me something to try out!

 

(Turns out I was using an old client and didn?t have that API available? time for some upgrades!)

 

From: Pedro Igor Silva <psilva at redhat.com> 
Sent: 07 March 2019 13:36
To: roxspring at imapmail.org
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user

 

Hi,

 

We have an API that allows you to resources shared to a specific user if the access was granted based on the standard UMA flow (using permission tickets). The Keycloak AuthZ Java Client [1] provides access to this API.

 

[1] https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b11e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java#L197 

 

On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org <mailto:roxspring at imapmail.org> > wrote:

Hi folks,



UMA seems to be a great solution to model fine grained permissions and allow
scenarios such as "Alice shares Folder X with Bob".



Keycloak seems to implement this well with APIs for the resource server to
ask "Given [User] and [Folder X], can the user do [Scope]?" and provide
answers for both Alice and Bob based on some policy.



Where I'm struggling is that our application also needs to provide answer
"Given [User], which folders can they do [Scope] to?" and I'm not clear how
best to achieve this with Keycloak.



A.      Track which folders a user owns or can access and answer the
question directly in the resource server, but that results in the resource
server having a rigid model of the authorization rules and loses the
benefits of Keycloak's flexible policies (or duplicates the policy which
seems just as bad).
B.      Have the resource server chose some subset of all folders and ask
Keycloak to validate each resource, but that becomes very chatty and slow
when there are 1000s of resources to validate.
C.      Just ask Keycloak to validate all resources and just return those
the user can access, but that's also potentially slow with 1000s of
resources to validate and 100s accessible.

a.      As above but with additional filtering by resource type to trim the
options.
b.      As above but with additional filtering by attributes (e.g. where
property:owner = "Alice")
c.      As above but with a full blown query language (e.g. "WHERE
type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)

D.      .?



I was expecting some variant of C to be the recommended way forward but I
can't find the relevant APIs (even without filtering). What's the best way
to model such a (presumably common) scenario?



Thanks,



Rob

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user


From francois.gourrier at libre-logic.fr  Thu Mar  7 11:35:27 2019
From: francois.gourrier at libre-logic.fr (=?utf-8?Q?Fran=C3=A7ois?= Gourrier)
Date: Thu, 7 Mar 2019 17:35:27 +0100 (CET)
Subject: [keycloak-user] Give access to his account to a client
In-Reply-To: <755644972.67560.1551976451655.JavaMail.zimbra@librelogic.fr>
References: <1290766556.136901.1551279572997.JavaMail.zimbra@librelogic.fr>
Message-ID: <478397259.67567.1551976527581.JavaMail.zimbra@librelogic.fr>

Hello everyone,

i find the anwser by myself to my question.

I followed the instructions given for "fine grained permissions" here: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

But I do not have the expected result.

Here is my configuration : 

 - I created a group "admin" and gave it the role "query-client" on the client "realm-management" of the kingdom concerned
 - For the client "Test" for which I wish to give access (for management) to a dedicated user, I created a policy with the right to manage for the group concerned "admin", via the "permissions" tab.
 - I added the relevant user "Test" in this group "admin.

And the result is: "Forbidden.You do not have access to the requested resource" ...

If I add the role "view-ream" to the group "admin" on the client "realm-management" of the kingdom concerned, it's OK, but the user "test" also reads the whole configuration of the kingdom, which is not desirable.

Did I miss something?

thank you in advance

----- Mail original -----
De: "Francois Gourrier" <francois.gourrier at libre-logic.fr>
?: keycloak-user at lists.jboss.org
Envoy?: Mercredi 27 F?vrier 2019 15:59:33
Objet: [keycloak-user] Give access to his account to a client

Hello everyone, 

we are currently using keycloak. We created several clients on a realm. To simplify the management of URIs, we would like to give the management of his account to each client. 

T he REST API allows to modify the account but it is not necessary that a customer can go to see the configuration of the other customers, which is nevertheless possible if he has the rights of access to the service (unless one can restrict access to a client). 

Another track would be that a customer connects to his account via the back office. 

A track to meet the need? 

Thank you in advance. 

Fran?ois GOURRIER 	
	

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From tkyjovsk at redhat.com  Thu Mar  7 12:50:25 2019
From: tkyjovsk at redhat.com (Tomas Kyjovsky)
Date: Thu, 7 Mar 2019 12:50:25 -0500 (EST)
Subject: [keycloak-user] Performance decrease after upgrade
In-Reply-To: <5333974.5036509.1551110943096.JavaMail.zimbra@redhat.com>
References: <f7637c4d895d00b485583f0402054477@imber.wien>
	<5333974.5036509.1551110943096.JavaMail.zimbra@redhat.com>
Message-ID: <435005560.7563046.1551981025869.JavaMail.zimbra@redhat.com>

Hi,

I tried to reproduce the regression between 4.5.0 and 4.8.3 by running a simple OIDC login / refresh token / logout scenario, but I din't see any regression neither in single-node deployment or 2-node cluster deployment. I can see almost the same performance numbers in throughput and response times (within 3% difference).

Is it possible that some of your configuration changed during the upgrade? For example data-source settings (connection pool size, etc.) or max. number of HTTP connections on the container's HTTP listener.

You can check by running: `./jboss-cli.sh -c` from your KC installation and then:

/subsystem=undertow/server=default-server/http-listener=default:read-resource

 --> attribute max-connections

/subsystem=datasources/data-source=KeycloakDS:read-resource

 --> attributes min-pool-size, max-pool-size or others which could affect performance

Perhaps some settings on the load-balancer if you have a clustered deployment? Some custom SPI implementations?
One setting which has big performance impact is the number of hashing iterations. However I checked and the default setting is the same in both versions: 27500.

Anyway, thanks for letting us know. We will be adding more test coverage into the performance testsuite in the near future so we'll try to keep this in mind.

CC: Marek, Hynek - any ideas off the top of your head what could have changed between 4.5.0 and 4.8.3 which could have caused a regression in the mentioned endpoints?


Regards,
Tomas


----- Original Message -----
> Hello Mario,
> 
> Thanks for letting us know. I will try and have a look into it this week and
> try to isolate the cause of that regression.
> 
> 
> Regards,
> Tomas
> 
> 
> ----- Original Message -----
> > Hi,
> > 
> > we're running nightly stress tests against our keycloak dev environment,
> > to monitor maximum throughput rates and average response times of
> > selected endpoints.
> > 
> > After upgrading from KC 3.4.3 to 4.8.3, we noticed considerable dents in
> > our curves.
> > 
> > For example:
> > Userinfo dropped from ~12k max. Requests per sec to ~7k; response times
> > increased from ~30ms to 45ms
> > Code flow (3 correlated requests): 1.5k -> 1k max. Requests per sec;
> > 100ms -> 150ms response time
> > Password Credentials Grant: 800 -> 600 max. Requests per sec; 300ms ->
> > 500ms response time
> > 
> > We have another system running KC 4.5.0, which does not seem to suffer
> > from that performance decrease, so it was probably introduced with >
> > 4.5.
> > 
> > Are there any known developments that might be the reason for our
> > observations?
> > 
> > Thanks,
> > Mario.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From sysadmin at peoplesvoice.co  Thu Mar  7 17:04:47 2019
From: sysadmin at peoplesvoice.co (=?UTF-8?Q?Johan_Andr=C3=A9s_Mateus_Lamprea?=)
Date: Thu, 7 Mar 2019 17:04:47 -0500
Subject: [keycloak-user] Security Updates
Message-ID: <CALU4Nvh-WSDSDkZQOcb=ygrM_6XrUDdtr6yG9kS3PFFhLTmOsQ@mail.gmail.com>

Hi there,

I'm a new user in Keycloak and I would like to know what is the alternative
to install security updates, patches and fixes on my standalone
installation?

Thanks in advance.

Best Regards.

From zhorose at cctus.com  Thu Mar  7 18:10:12 2019
From: zhorose at cctus.com (Zak Horose)
Date: Thu, 7 Mar 2019 23:10:12 +0000
Subject: [keycloak-user] Having trouble with Keycloak Performance Testsuite
Message-ID: <OSBPR01MB2149006D7288A57E191D591FB14C0@OSBPR01MB2149.jpnprd01.prod.outlook.com>

Hello,

I'm having trouble getting the test suite to work. I'm following the Getting started for the impatient instructions.

I am running:
centos 7
docker version 1.13.1, build 07f3374/1.13.1
docker-compose version 1.18.0, build 8dd22a9
openjdk version "1.8.0_201"
maven 3.5.4

Going through the steps I am successful until mvn verify -Pgenerate-data -Ddataset=1r_10c_100u -DnumOfWorkers=10
I have tried maven 3.1.1, 3.2.5, 3.6.0 and haven't gotten as far. Below is the output with maven 3.5.4.
The first error encountered is 500, is this a permissions issue or am I missing some software? Any help is appreciated.

reated entities:
Realm                1

14:35:23 Time: +5 s
Created entities:
Realm                1
RealmRole            10
Client               10
ClientRole           100

14:35:24 Time: +6 s
Created entities:
Realm                1
RealmRole            10
Client               10
ClientRole           100
User                 3

14:35:24 Error occured: javax.ws.rs.WebApplicationException: Create method returned status Internal Server Error (Code: 500); expected status: Created (201)
14:35:24 Exception thrown from executor service. Shutting down.
Exception in thread "main" java.lang.RuntimeException: javax.ws.rs.WebApplicationException: Create method returned status Internal Server Error (Code: 500); expected status: Created (201)
        at org.keycloak.performance.dataset.DatasetLoader.processEntities(DatasetLoader.java:149)
        at org.keycloak.performance.dataset.DatasetLoader.processDataset(DatasetLoader.java:75)
        at org.keycloak.performance.dataset.DatasetLoader.main(DatasetLoader.java:35)
Caused by: javax.ws.rs.WebApplicationException: Create method returned status Internal Server Error (Code: 500); expected status: Created (201)
        at org.keycloak.admin.client.CreatedResponseUtil.getCreatedId(CreatedResponseUtil.java:43)
        at org.keycloak.performance.dataset.Creatable.createCheckingForConflict(Creatable.java:51)
        at org.keycloak.performance.dataset.Creatable.createOrUpdateExisting(Creatable.java:69)
        at org.keycloak.performance.dataset.DatasetLoader.lambda$processEntities$0(DatasetLoader.java:118)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
[ERROR] Command execution failed.
org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1)
    at org.apache.commons.exec.DefaultExecutor.executeInternal (DefaultExecutor.java:404)
    at org.apache.commons.exec.DefaultExecutor.execute (DefaultExecutor.java:166)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751)
    at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Keycloak Performance TestSuite 6.0.0-SNAPSHOT ...... SUCCESS [  1.317 s]
[INFO] Keycloak Performance TestSuite - Keycloak Server ... SUCCESS [  2.089 s]
[INFO] Keycloak Performance TestSuite - Wildfly ModCluster Load Balancer SUCCESS [  0.873 s]
[INFO] Keycloak Performance TestSuite - Infinispan Server . SUCCESS [  1.358 s]
[INFO] Keycloak Performance TestSuite - Tests 6.0.0-SNAPSHOT FAILURE [ 12.429 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 18.582 s
[INFO] Finished at: 2019-03-07T14:35:24-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec (load-data) on project performance-tests: Command execution failed.: Process exited with an error: 1 (Exit value: 1) -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec (load-data) on project performance-tests: Command execution failed.
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: org.apache.maven.plugin.MojoExecutionException: Command execution failed.
    at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:326)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1)
    at org.apache.commons.exec.DefaultExecutor.executeInternal (DefaultExecutor.java:404)
    at org.apache.commons.exec.DefaultExecutor.execute (DefaultExecutor.java:166)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751)
    at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
[ERROR]
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <goals> -rf :performance-tests


Zak

From bruno at abstractj.org  Thu Mar  7 18:51:35 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 7 Mar 2019 20:51:35 -0300
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
Message-ID: <20190307235135.GA31156@abstractj.org>

Hi Ronald, one of the possible reasons for getting this message is the
way how you configured the redirect URL on Keycloak server.

Maybe that's the case?

On 2019-02-15, Ronald Demneri wrote:
> Hi all,
> 
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> 
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> 
> The config file is as follows:
> 
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
> 
> In the logs I receive the following upon a successful login:
> 
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
> {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"}
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"}
> {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"}
> 
> And of course, I am not redirected back to the requested URL.
> 
> I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback
> 
> Any hints?
> 
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From mposolda at redhat.com  Fri Mar  8 02:30:34 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 8 Mar 2019 08:30:34 +0100
Subject: [keycloak-user] Performance decrease after upgrade
In-Reply-To: <435005560.7563046.1551981025869.JavaMail.zimbra@redhat.com>
References: <f7637c4d895d00b485583f0402054477@imber.wien>
	<5333974.5036509.1551110943096.JavaMail.zimbra@redhat.com>
	<435005560.7563046.1551981025869.JavaMail.zimbra@redhat.com>
Message-ID: <93343c5e-850c-8a3b-74b9-392e147545d5@redhat.com>

On 07/03/2019 18:50, Tomas Kyjovsky wrote:
> Hi,
>
> I tried to reproduce the regression between 4.5.0 and 4.8.3 by running a simple OIDC login / refresh token / logout scenario, but I din't see any regression neither in single-node deployment or 2-node cluster deployment. I can see almost the same performance numbers in throughput and response times (within 3% difference).
>
> Is it possible that some of your configuration changed during the upgrade? For example data-source settings (connection pool size, etc.) or max. number of HTTP connections on the container's HTTP listener.
>
> You can check by running: `./jboss-cli.sh -c` from your KC installation and then:
>
> /subsystem=undertow/server=default-server/http-listener=default:read-resource
>
>   --> attribute max-connections
>
> /subsystem=datasources/data-source=KeycloakDS:read-resource
>
>   --> attributes min-pool-size, max-pool-size or others which could affect performance
>
> Perhaps some settings on the load-balancer if you have a clustered deployment? Some custom SPI implementations?
> One setting which has big performance impact is the number of hashing iterations. However I checked and the default setting is the same in both versions: 27500.
>
> Anyway, thanks for letting us know. We will be adding more test coverage into the performance testsuite in the near future so we'll try to keep this in mind.
>
> CC: Marek, Hynek - any ideas off the top of your head what could have changed between 4.5.0 and 4.8.3 which could have caused a regression in the mentioned endpoints?

I can't recall anything from the top of my head, but it's possible there 
were some changes affecting performance. As Tomas pointed, it can depend 
on change of some settings like pool sizes etc. It can also depend on 
count of data - for example you may see performance degradation just 
when you have 10.000 users and each having 50 roles assigned to him 
(just an example) etc etc.

In shortcut, there are lots of factors involved, so hard to say... :(

Marek

>
>
> Regards,
> Tomas
>
>
> ----- Original Message -----
>> Hello Mario,
>>
>> Thanks for letting us know. I will try and have a look into it this week and
>> try to isolate the cause of that regression.
>>
>>
>> Regards,
>> Tomas
>>
>>
>> ----- Original Message -----
>>> Hi,
>>>
>>> we're running nightly stress tests against our keycloak dev environment,
>>> to monitor maximum throughput rates and average response times of
>>> selected endpoints.
>>>
>>> After upgrading from KC 3.4.3 to 4.8.3, we noticed considerable dents in
>>> our curves.
>>>
>>> For example:
>>> Userinfo dropped from ~12k max. Requests per sec to ~7k; response times
>>> increased from ~30ms to 45ms
>>> Code flow (3 correlated requests): 1.5k -> 1k max. Requests per sec;
>>> 100ms -> 150ms response time
>>> Password Credentials Grant: 800 -> 600 max. Requests per sec; 300ms ->
>>> 500ms response time
>>>
>>> We have another system running KC 4.5.0, which does not seem to suffer
>>> from that performance decrease, so it was probably introduced with >
>>> 4.5.
>>>
>>> Are there any known developments that might be the reason for our
>>> observations?
>>>
>>> Thanks,
>>> Mario.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From au.direction at gmail.com  Fri Mar  8 03:17:35 2019
From: au.direction at gmail.com (=?UTF-8?B?0JDQvdC00YDQtdC5INCj0YjQsNC60L7Qsg==?=)
Date: Fri, 8 Mar 2019 10:17:35 +0200
Subject: [keycloak-user] Terms and coniditions on the registration page
Message-ID: <CAO8o4Nbw2N+AxwTEcxY9ANR=301-znbs84Z3N7002fPyXJ+DxQ@mail.gmail.com>

Hello, keycloak has a "terms and conditions" feature, but it depicted on
the next page after registration. Is there a way to make it on the
registration page as a checkbox using admin panel?

If no, will security be impacted if I do it programmatically via js and
editing register.ftl?

From ronald.demneri at amdtia.com  Fri Mar  8 04:06:07 2019
From: ronald.demneri at amdtia.com (Ronald Demneri)
Date: Fri, 8 Mar 2019 09:06:07 +0000
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <20190307235135.GA31156@abstractj.org>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<20190307235135.GA31156@abstractj.org>
Message-ID: <AM6PR0402MB3687410CBBDA0D1F49634A17E94D0@AM6PR0402MB3687.eurprd04.prod.outlook.com>

Hello Bruno,

>From my first email:
> I have configured the gatekeeper as a confidential client in Keycloak, 
> and have added the redirect_uri http://gatekeeper:80/oauth/callback

Which of course I got from the documentation here https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration

Thanks in advance,
Ronald


-----Original Message-----
From: Bruno Oliveira <bruno at abstractj.org> 
Sent: 08.Mar.2019 12:52 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Hi Ronald, one of the possible reasons for getting this message is the way how you configured the redirect URL on Keycloak server.

Maybe that's the case?

On 2019-02-15, Ronald Demneri wrote:
> Hi all,
> 
> I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> 
> ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> 
> The config file is as follows:
> 
> discovery-url: https://keycloak/auth/realms/master
> client-id: gatekeeper
> client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> listen: 10.253.6.41:80
> enable-refresh-tokens: true
> enable-logging: true
> enable-json-logging: true
> enable-login-handler: true
> enable-token-header: true
> enable-metrics: true
> enable-default-deny: false
> redirection-url: http://gatekeeper:80
> //redirection-url: http://10.253.6.41:3000
> encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> secure-cookie: false
> upstream-url: http://127.0.0.1:80
> resources:
> - uri: /user/test.php
> - uri: /admin/*.php
>   roles:
>   - admin
> 
> In the logs I receive the following upon a successful login:
> 
> {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> /middleware.go:108","msg":"no session found in request, redirecting 
> for authorization","error":"authentication session not found"} 
> {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> middleware.go:90","msg":"client 
> request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
> 53.6.24:60575","method":"GET","path":"/user/test.php"}
> {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> /handlers.go:88","msg":"incoming authorization request from client 
> address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
> openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> nt_ip":"10.253.6.24:60575"} 
> {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client 
> request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> /handlers.go:152","msg":"unable to verify the id token","error":"the 
> access token has expired"} 
> {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> iddleware.go:90","msg":"client 
> request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
> 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> 
> And of course, I am not redirected back to the requested URL.
> 
> I have configured the gatekeeper as a confidential client in Keycloak, 
> and have added the redirect_uri http://gatekeeper:80/oauth/callback
> 
> Any hints?
> 
> Thanks in advance,
> Ronald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj


From mhajas at redhat.com  Fri Mar  8 04:55:56 2019
From: mhajas at redhat.com (Michal Hajas)
Date: Fri, 8 Mar 2019 10:55:56 +0100
Subject: [keycloak-user] Give access to his account to a client
In-Reply-To: <478397259.67567.1551976527581.JavaMail.zimbra@librelogic.fr>
References: <1290766556.136901.1551279572997.JavaMail.zimbra@librelogic.fr>
	<755644972.67560.1551976451655.JavaMail.zimbra@librelogic.fr>
	<478397259.67567.1551976527581.JavaMail.zimbra@librelogic.fr>
Message-ID: <CACv4bCRA2eqy2_ZbvC340QkkA-_-B4U=caOc_VZ5N+8c9OGqcg@mail.gmail.com>

Hi Francois,

first of all, please make sure you are using the latest version of
Keycloak. In upstream there was recently a bugfix [1] which may relate to
your issue.

I tried to follow your steps and it worked for me, so please check that
group policy is correctly assigned to manage permission in Permissions tab
and also check whether user really belongs to admin group.

If you are sure that everything is set correctly and you are still not able
to make it work, feel free to send me your realm exported to json and I can
look at it. [2]

My settings:
 I created client1 & client2 and user1 & user2 (passwords: pass).

- User1 is able to manage client1 because he is part of admin group and
Client1 has configured admin-group-membership policy.
- User2 is able to manage Client1 because he is also part of admin-group
and Client2 because it is configured with User policy which permits User2
to manage it.

Best regards,
Michal Hajas

[1] https://issues.jboss.org/browse/KEYCLOAK-9489
[2]
https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

On Thu, Mar 7, 2019 at 6:09 PM Fran?ois Gourrier <
francois.gourrier at libre-logic.fr> wrote:

> Hello everyone,
>
> i find the anwser by myself to my question.
>
> I followed the instructions given for "fine grained permissions" here:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
>
> But I do not have the expected result.
>
> Here is my configuration :
>
>  - I created a group "admin" and gave it the role "query-client" on the
> client "realm-management" of the kingdom concerned
>  - For the client "Test" for which I wish to give access (for management)
> to a dedicated user, I created a policy with the right to manage for the
> group concerned "admin", via the "permissions" tab.
>  - I added the relevant user "Test" in this group "admin.
>
> And the result is: "Forbidden.You do not have access to the requested
> resource" ...
>
> If I add the role "view-ream" to the group "admin" on the client
> "realm-management" of the kingdom concerned, it's OK, but the user "test"
> also reads the whole configuration of the kingdom, which is not desirable.
>
> Did I miss something?
>
> thank you in advance
>
> ----- Mail original -----
> De: "Francois Gourrier" <francois.gourrier at libre-logic.fr>
> ?: keycloak-user at lists.jboss.org
> Envoy?: Mercredi 27 F?vrier 2019 15:59:33
> Objet: [keycloak-user] Give access to his account to a client
>
> Hello everyone,
>
> we are currently using keycloak. We created several clients on a realm. To
> simplify the management of URIs, we would like to give the management of
> his account to each client.
>
> T he REST API allows to modify the account but it is not necessary that a
> customer can go to see the configuration of the other customers, which is
> nevertheless possible if he has the rights of access to the service (unless
> one can restrict access to a client).
>
> Another track would be that a customer connects to his account via the
> back office.
>
> A track to meet the need?
>
> Thank you in advance.
>
> Fran?ois GOURRIER
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From francois.gourrier at libre-logic.fr  Fri Mar  8 05:12:29 2019
From: francois.gourrier at libre-logic.fr (=?utf-8?Q?Fran=C3=A7ois?= Gourrier)
Date: Fri, 8 Mar 2019 11:12:29 +0100 (CET)
Subject: [keycloak-user] Give access to his account to a client
In-Reply-To: <918120196.70481.1552039942118.JavaMail.zimbra@librelogic.fr>
References: <1290766556.136901.1551279572997.JavaMail.zimbra@librelogic.fr>
	<755644972.67560.1551976451655.JavaMail.zimbra@librelogic.fr>
	<478397259.67567.1551976527581.JavaMail.zimbra@librelogic.fr>
	<CACv4bCRA2eqy2_ZbvC340QkkA-_-B4U=caOc_VZ5N+8c9OGqcg@mail.gmail.com>
Message-ID: <558986945.70485.1552039949565.JavaMail.zimbra@librelogic.fr>

Hello Michal, 

Thank you for your answer which actually seems to be a very good track of resolution ! 

The version I'm using is 4.8, I'm going to deploy the last one. 

Best regards, 

Fran?ois 


		



De: "Michal Hajas" <mhajas at redhat.com> 
?: "Francois Gourrier" <francois.gourrier at libre-logic.fr> 
Cc: keycloak-user at lists.jboss.org 
Envoy?: Vendredi 8 Mars 2019 10:55:56 
Objet: Re: [keycloak-user] Give access to his account to a client 

Hi Francois, 
first of all, please make sure you are using the latest version of Keycloak. In upstream there was recently a bugfix [1] which may relate to your issue. 

I tried to follow your steps and it worked for me, so please check that group policy is correctly assigned to manage permission in Permissions tab and also check whether user really belongs to admin group. 

If you are sure that everything is set correctly and you are still not able to make it work, feel free to send me your realm exported to json and I can look at it. [2] 

My settings: 
I created client1 & client2 and user1 & user2 (passwords: pass). 

- User1 is able to manage client1 because he is part of admin group and Client1 has configured admin-group-membership policy. 
- User2 is able to manage Client1 because he is also part of admin-group and Client2 because it is configured with User policy which permits User2 to manage it. 

Best regards, 
Michal Hajas 

[1] https://issues.jboss.org/browse/KEYCLOAK-9489 
[2] https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import 

On Thu, Mar 7, 2019 at 6:09 PM Fran?ois Gourrier < francois.gourrier at libre-logic.fr > wrote: 


Hello everyone, 

i find the anwser by myself to my question. 

I followed the instructions given for "fine grained permissions" here: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions 

But I do not have the expected result. 

Here is my configuration : 

- I created a group "admin" and gave it the role "query-client" on the client "realm-management" of the kingdom concerned 
- For the client "Test" for which I wish to give access (for management) to a dedicated user, I created a policy with the right to manage for the group concerned "admin", via the "permissions" tab. 
- I added the relevant user "Test" in this group "admin. 

And the result is: "Forbidden.You do not have access to the requested resource" ... 

If I add the role "view-ream" to the group "admin" on the client "realm-management" of the kingdom concerned, it's OK, but the user "test" also reads the whole configuration of the kingdom, which is not desirable. 

Did I miss something? 

thank you in advance 

----- Mail original ----- 
De: "Francois Gourrier" < francois.gourrier at libre-logic.fr > 
?: keycloak-user at lists.jboss.org 
Envoy?: Mercredi 27 F?vrier 2019 15:59:33 
Objet: [keycloak-user] Give access to his account to a client 

Hello everyone, 

we are currently using keycloak. We created several clients on a realm. To simplify the management of URIs, we would like to give the management of his account to each client. 

T he REST API allows to modify the account but it is not necessary that a customer can go to see the configuration of the other customers, which is nevertheless possible if he has the rights of access to the service (unless one can restrict access to a client). 

Another track would be that a customer connects to his account via the back office. 

A track to meet the need? 

Thank you in advance. 

Fran?ois GOURRIER 


_______________________________________________ 
keycloak-user mailing list 
keycloak-user at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-user 

_______________________________________________ 
keycloak-user mailing list 
keycloak-user at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-user 





From lorenzo.luconi at iit.cnr.it  Fri Mar  8 05:15:09 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Fri, 8 Mar 2019 11:15:09 +0100
Subject: [keycloak-user] Moving container images to Quay (from Docker
	Hub)
In-Reply-To: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
Message-ID: <71AF9967-235A-4CF7-B0EB-F75E1A87DF5A@iit.cnr.it>

docker images for older releases will be migrated from Docker Hub to Quay?

Lorenzo


> Il giorno 7 mar 2019, alle ore 10:03, Stian Thorgersen <sthorger at redhat.com> ha scritto:
> 
> We are planning on moving our container images to Quay.io. The question is
> do we also need to keep pushing to Docker Hub? If so why?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bruno at abstractj.org  Fri Mar  8 05:34:06 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 8 Mar 2019 07:34:06 -0300
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <AM6PR0402MB3687410CBBDA0D1F49634A17E94D0@AM6PR0402MB3687.eurprd04.prod.outlook.com>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<20190307235135.GA31156@abstractj.org>
	<AM6PR0402MB3687410CBBDA0D1F49634A17E94D0@AM6PR0402MB3687.eurprd04.prod.outlook.com>
Message-ID: <20190308103406.GA29105@abstractj.org>

Yeah, but we need to think about all the possibilities. Another thing I
noticed into your configuration is the fact that your listen address,
diverges from your redirect url.

I'd suggest to isolate the problem by first trying your setup locally
to see if it works, and later move to VMs.

Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.

Could you please describe better your scenario? What is running in each
VM for example? How you configured your confidential client?


On 2019-03-08, Ronald Demneri wrote:
> Hello Bruno,
> 
> From my first email:
> > I have configured the gatekeeper as a confidential client in Keycloak, 
> > and have added the redirect_uri http://gatekeeper:80/oauth/callback
> 
> Which of course I got from the documentation here https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration
> 
> Thanks in advance,
> Ronald
> 
> 
> -----Original Message-----
> From: Bruno Oliveira <bruno at abstractj.org> 
> Sent: 08.Mar.2019 12:52 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
> 
> Hi Ronald, one of the possible reasons for getting this message is the way how you configured the redirect URL on Keycloak server.
> 
> Maybe that's the case?
> 
> On 2019-02-15, Ronald Demneri wrote:
> > Hi all,
> > 
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> > 
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> > 
> > The config file is as follows:
> > 
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> > 
> > In the logs I receive the following upon a successful login:
> > 
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper
> > /middleware.go:108","msg":"no session found in request, redirecting 
> > for authorization","error":"authentication session not found"} 
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/
> > middleware.go:90","msg":"client 
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.2
> > 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper
> > /handlers.go:88","msg":"incoming authorization request from client 
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/mas
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=htt
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","clie
> > nt_ip":"10.253.6.24:60575"} 
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client 
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper
> > /handlers.go:152","msg":"unable to verify the id token","error":"the 
> > access token has expired"} 
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/m
> > iddleware.go:90","msg":"client 
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.25
> > 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> > 
> > And of course, I am not redirected back to the requested URL.
> > 
> > I have configured the gatekeeper as a confidential client in Keycloak, 
> > and have added the redirect_uri http://gatekeeper:80/oauth/callback
> > 
> > Any hints?
> > 
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> -- 
> 
> abstractj

-- 

abstractj

From ronald.demneri at amdtia.com  Fri Mar  8 05:49:54 2019
From: ronald.demneri at amdtia.com (Ronald Demneri)
Date: Fri, 8 Mar 2019 10:49:54 +0000
Subject: [keycloak-user] Keycloak gatekeeper issue
In-Reply-To: <20190308103406.GA29105@abstractj.org>
References: <VI1PR0402MB369674638064A2DFE25830FCE9600@VI1PR0402MB3696.eurprd04.prod.outlook.com>
	<20190307235135.GA31156@abstractj.org>
	<AM6PR0402MB3687410CBBDA0D1F49634A17E94D0@AM6PR0402MB3687.eurprd04.prod.outlook.com>
	<20190308103406.GA29105@abstractj.org>
Message-ID: <AM6PR0402MB3687B5AC0E9B14CECED22C0FE94D0@AM6PR0402MB3687.eurprd04.prod.outlook.com>

Hey, thanks for the quick reply.

The setup is in fact very simple, and just for some quick testing: gatekeeper is running alongside apache/php in the vm; in fact I was trying to replace apache's mod_auth_openidc that I used in a different vm with gatekeeper to have a look at how it works. That is why I configured gatekeeper to listen on eth0 IP address, whereas apache is listening on loopback (upstream-url in gatekeeper config file).
In Keycloak, the configuration is basic as well, just the client name and redirect URI.


Regards,
Ronald

-----Original Message-----
From: Bruno Oliveira <bruno at abstractj.org> 
Sent: 08.Mar.2019 11:34 AM
To: Ronald Demneri <ronald.demneri at amdtia.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak gatekeeper issue

Yeah, but we need to think about all the possibilities. Another thing I noticed into your configuration is the fact that your listen address, diverges from your redirect url.

I'd suggest to isolate the problem by first trying your setup locally to see if it works, and later move to VMs.

Like Sebi, at first glance I'd suspect about the time sync of these VMs.
But you already mentioned that's not the case.

Could you please describe better your scenario? What is running in each VM for example? How you configured your confidential client?


On 2019-03-08, Ronald Demneri wrote:
> Hello Bruno,
> 
> From my first email:
> > I have configured the gatekeeper as a confidential client in 
> > Keycloak, and have added the redirect_uri 
> > http://gatekeeper:80/oauth/callback
> 
> Which of course I got from the documentation here 
> https://www.keycloak.org/docs/latest/securing_apps/index.html#example-
> usage-and-configuration
> 
> Thanks in advance,
> Ronald
> 
> 
> -----Original Message-----
> From: Bruno Oliveira <bruno at abstractj.org>
> Sent: 08.Mar.2019 12:52 AM
> To: Ronald Demneri <ronald.demneri at amdtia.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak gatekeeper issue
> 
> Hi Ronald, one of the possible reasons for getting this message is the way how you configured the redirect URL on Keycloak server.
> 
> Maybe that's the case?
> 
> On 2019-02-15, Ronald Demneri wrote:
> > Hi all,
> > 
> > I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows:
> > 
> > ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true"
> > 
> > The config file is as follows:
> > 
> > discovery-url: https://keycloak/auth/realms/master
> > client-id: gatekeeper
> > client-secret: 94779832-40d7-4342-90d6-12ab52eab831
> > listen: 10.253.6.41:80
> > enable-refresh-tokens: true
> > enable-logging: true
> > enable-json-logging: true
> > enable-login-handler: true
> > enable-token-header: true
> > enable-metrics: true
> > enable-default-deny: false
> > redirection-url: http://gatekeeper:80
> > //redirection-url: http://10.253.6.41:3000
> > encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
> > secure-cookie: false
> > upstream-url: http://127.0.0.1:80
> > resources:
> > - uri: /user/test.php
> > - uri: /admin/*.php
> >   roles:
> >   - admin
> > 
> > In the logs I receive the following upon a successful login:
> > 
> > {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeep
> > er /middleware.go:108","msg":"no session found in request, 
> > redirecting for authorization","error":"authentication session not 
> > found"} 
> > {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeepe
> > r/
> > middleware.go:90","msg":"client
> > request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10
> > .2 53.6.24:60575","method":"GET","path":"/user/test.php"}
> > {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeep
> > er /handlers.go:88","msg":"incoming authorization request from 
> > client 
> > address","access_type":"","auth_url":"https://keycloak/auth/realms/m
> > as 
> > ter/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=h
> > tt 
> > p%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scop
> > e=
> > openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","cl
> > openid+email+ie
> > nt_ip":"10.253.6.24:60575"}
> > {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.
> > 253.6.24:60575","method":"GET","path":"/oauth/authorize"}
> > {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeep
> > er /handlers.go:152","msg":"unable to verify the id 
> > token","error":"the access token has expired"} 
> > {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper
> > /m
> > iddleware.go:90","msg":"client
> > request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.
> > 25 3.6.24:60575","method":"GET","path":"/oauth/callback"}
> > 
> > And of course, I am not redirected back to the requested URL.
> > 
> > I have configured the gatekeeper as a confidential client in 
> > Keycloak, and have added the redirect_uri 
> > http://gatekeeper:80/oauth/callback
> > 
> > Any hints?
> > 
> > Thanks in advance,
> > Ronald
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> 
> abstractj

-- 

abstractj


From sthorger at redhat.com  Fri Mar  8 06:02:11 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 8 Mar 2019 12:02:11 +0100
Subject: [keycloak-user] Moving container images to Quay (from Docker
	Hub)
In-Reply-To: <71AF9967-235A-4CF7-B0EB-F75E1A87DF5A@iit.cnr.it>
References: <CAJgngAfHw2r8iroNuNDANVeq+f4dmYEAOzXf_626Cak3A7=ZsA@mail.gmail.com>
	<71AF9967-235A-4CF7-B0EB-F75E1A87DF5A@iit.cnr.it>
Message-ID: <CAJgngAdLdk4+rW3LppEAmA=sOyYnM0kQFf+F78BKdjy_CQSCVA@mail.gmail.com>

Didn't have a plan to migrate old releases, but rather just leave them on
docker hub.

Current plan is:

* Keycloak/Keycloak image on Quay
* jboss/Keycloak image on Docker Hub

Deprecated jboss/Keycloak, but continue to release it for another year or
so.

On Fri, 8 Mar 2019, 11:15 Lorenzo Luconi Trombacchi, <
lorenzo.luconi at iit.cnr.it> wrote:

> docker images for older releases will be migrated from Docker Hub to Quay?
>
> Lorenzo
>
>
> > Il giorno 7 mar 2019, alle ore 10:03, Stian Thorgersen <
> sthorger at redhat.com> ha scritto:
> >
> > We are planning on moving our container images to Quay.io. The question
> is
> > do we also need to keep pushing to Docker Hub? If so why?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From triton.oidc at gmail.com  Fri Mar  8 06:10:00 2019
From: triton.oidc at gmail.com (triton oidc)
Date: Fri, 8 Mar 2019 11:10:00 +0000
Subject: [keycloak-user] Token exchange cross realm
In-Reply-To: <CAGE7c6BaTb19MrEGiet_jvuTVZ10mQkPsDcFAZrt2A=RMpW=Bg@mail.gmail.com>
References: <CAGE7c6BaTb19MrEGiet_jvuTVZ10mQkPsDcFAZrt2A=RMpW=Bg@mail.gmail.com>
Message-ID: <CAGE7c6DtMiL02QOCbiY322p3guvotNMHoXHfTRyyKX9p5sSTAA@mail.gmail.com>

Hi,

I tried giving the app1 the credentials of the R1_for_R2 (the client used
for the federation on the IDP2)
and i could exchange the token from the app1 to a token on the app2 !

However that's far from what we wish
the app1 has now the power to exchange any token on R2 configured with the
Client R1_for_R2, so i can have only one application on each side with
token exchange activated without security issues.

If it makes sense, i can propose an update on the documentation, specifying
the application needs the credentials of the second IDP to do the exchange.

Cheers


On Wed, Mar 6, 2019 at 4:49 PM triton oidc <triton.oidc at gmail.com> wrote:

> Hi Keycloak masters
>
> I've done the token exchange in the same realm,
> here is a link with my scenario
>
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQIGFzIElEUAAdEDIgYXMgMgoKbm90ZSBvdmVyIFU6VGhlIHUAWQVuZCBhbGwgdGhlIGFwcCBhcmUgaW4ACgVzYW1lIHJlYWxtADALMTp0aGlzIEFwcCBpcyBPSURDIHByb3RlY3RlZApVLT4xOgCBMAVnb2VzIHRvAFAHIHdpdGggYQCBcAdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBSFndhbnQgdG8gZG8gYSBjYWxsIG8AgRsGYXBwMlxub24gYmVoYWxmIG9mAIFCBXVzZXIKMS0-SURQOnJlcXVlc3QAgmEQAH4FQVBQMSB0bwCBRwUyXG51c2luZwCCDwYAgxoFLACCNgZjbGllbnRJRACCJQUAgnYFY3JlZGVudGlhbHMKSURQLS0-MTpyZXR1cm4gYWNjZXNzAIFgCG9yAIJ6BQoxLT4yOmJhY2tlbmQAgTsGAGYGACIMAIMTCzI6T3B0aW9ubmFsCjIAgUEGZ2V0dXNlcmluZm8AKRMsXG4AgzcIaXMgc3VyZQCBfwwncyBpAIErBXR5AIFdCElEUCdzIHRydXN0AIE7BzIAgToIAF8LCjIAgU8MAIE0DAoxLS0-VQCBbQgKCg&s=rose
>
> I'm trying to do the same cross realm following this documentation
>
> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
>
> Here is a link to my draft
>
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgQ3Jvc3MgcmVhbG0gRHJhZnQgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQABEFSURQAAgRMgASBzIAOBAAFAUyCgpub3RlIG92ZXIgVTpUaGUgdQB0BW5kIGFsbCB0aGUgYQBvBXJlIGluAAsFc2FtZQCBPQYAMQsxOnRoaXMgQXBwIGlzIE9JREMgcHJvdGVjdGVkClUtPjE6AIFMBWdvZXMgdG8AUQcgd2l0aCBJRABqBUFjY2VzcwCCKgdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBeFndhbnQgdG8gZG8gYSBjYWxsIG8AgScGYXBwMlxub24gYmVoYWxmIG9mAIFPBXVzZXIKMS0-SURQMjpyZXF1ZXN0AIMcEACAfwVBUFAxIHRvAIJFBVxudXNpbmcAghwGAINUBQpJRFAyLS0-MTpyZXR1cm4gYQCBOA1vcgCCdAYxLT4yOmJhY2tlbmQAgRgGAEMGACIMAIJ9CzI6T3B0aW9ubmFsCjIAgR0HZ2V0dXNlcmluZm8AKhMsXG4AgyMHIGlzIHN1cmUAgV0MJ3MgaWRlbnRpdHkAgTsISURQJ3MgdHJ1c3QAgTwIMgCBPAgAYAsKAIFQDQCBNgwKMS0tPlUAgW8ICgo&s=rose
>
> However i don't know which client credentials put in the query.
> my app only knows it's own credentials (*app1_clientID* and
> *app1_clientSecret*)
> and wants to get an access token on the Realm2 (R2) on the clientID "
> *secured_R2*"
> The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
> The alias of the broker is "*R2_for_R1_users*"
>
> curl -X POST \
>     -d "client_id=*app1_clientID*" \
>     -d "client_secret=*app1_clientSecret*" \
>     --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>     -d "subject_token="*my_token_obtained_using_app1_clientID*" \
>     -d "subject_issuer=*R2_for_R1_users*" \
>     --data-urlencode
> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>     -d "audience=*secured_R2*" \
>     http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token
>
> I got an invalid credentials, which makes sense because the IDP2 can't
> verify the credentials of the App1 linked to the realm1 (IDP1)
> I know i missed something.
> If someone could give me a hint
>
> Once i understand, i'm willing to propose an update on the documentation
>
> Thanks for any help
>
> Amaury
>
>
>
>
>

From psilva at redhat.com  Fri Mar  8 08:08:46 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 8 Mar 2019 10:08:46 -0300
Subject: [keycloak-user] Token exchange cross realm
In-Reply-To: <CAGE7c6DtMiL02QOCbiY322p3guvotNMHoXHfTRyyKX9p5sSTAA@mail.gmail.com>
References: <CAGE7c6BaTb19MrEGiet_jvuTVZ10mQkPsDcFAZrt2A=RMpW=Bg@mail.gmail.com>
	<CAGE7c6DtMiL02QOCbiY322p3guvotNMHoXHfTRyyKX9p5sSTAA@mail.gmail.com>
Message-ID: <CAJrcDBdem0oGC+E8Lgsv9rxvp-xc0WCuMyTWTyr4PihLzKJtHQ@mail.gmail.com>

Nice ! Please, feel free to send a PR with improvements to docs.

Regarding the app1 being able to exchange any token on R2 did you try to
write a JS policy with your access constraints to the token-exchange
permission ?

On Fri, Mar 8, 2019 at 8:14 AM triton oidc <triton.oidc at gmail.com> wrote:

> Hi,
>
> I tried giving the app1 the credentials of the R1_for_R2 (the client used
> for the federation on the IDP2)
> and i could exchange the token from the app1 to a token on the app2 !
>
> However that's far from what we wish
> the app1 has now the power to exchange any token on R2 configured with the
> Client R1_for_R2, so i can have only one application on each side with
> token exchange activated without security issues.
>
> If it makes sense, i can propose an update on the documentation, specifying
> the application needs the credentials of the second IDP to do the exchange.
>
> Cheers
>
>
> On Wed, Mar 6, 2019 at 4:49 PM triton oidc <triton.oidc at gmail.com> wrote:
>
> > Hi Keycloak masters
> >
> > I've done the token exchange in the same realm,
> > here is a link with my scenario
> >
> >
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQIGFzIElEUAAdEDIgYXMgMgoKbm90ZSBvdmVyIFU6VGhlIHUAWQVuZCBhbGwgdGhlIGFwcCBhcmUgaW4ACgVzYW1lIHJlYWxtADALMTp0aGlzIEFwcCBpcyBPSURDIHByb3RlY3RlZApVLT4xOgCBMAVnb2VzIHRvAFAHIHdpdGggYQCBcAdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBSFndhbnQgdG8gZG8gYSBjYWxsIG8AgRsGYXBwMlxub24gYmVoYWxmIG9mAIFCBXVzZXIKMS0-SURQOnJlcXVlc3QAgmEQAH4FQVBQMSB0bwCBRwUyXG51c2luZwCCDwYAgxoFLACCNgZjbGllbnRJRACCJQUAgnYFY3JlZGVudGlhbHMKSURQLS0-MTpyZXR1cm4gYWNjZXNzAIFgCG9yAIJ6BQoxLT4yOmJhY2tlbmQAgTsGAGYGACIMAIMTCzI6T3B0aW9ubmFsCjIAgUEGZ2V0dXNlcmluZm8AKRMsXG4AgzcIaXMgc3VyZQCBfwwncyBpAIErBXR5AIFdCElEUCdzIHRydXN0AIE7BzIAgToIAF8LCjIAgU8MAIE0DAoxLS0-VQCBbQgKCg&s=rose
> >
> > I'm trying to do the same cross realm following this documentation
> >
> >
> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
> >
> > Here is a link to my draft
> >
> >
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgQ3Jvc3MgcmVhbG0gRHJhZnQgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQABEFSURQAAgRMgASBzIAOBAAFAUyCgpub3RlIG92ZXIgVTpUaGUgdQB0BW5kIGFsbCB0aGUgYQBvBXJlIGluAAsFc2FtZQCBPQYAMQsxOnRoaXMgQXBwIGlzIE9JREMgcHJvdGVjdGVkClUtPjE6AIFMBWdvZXMgdG8AUQcgd2l0aCBJRABqBUFjY2VzcwCCKgdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBeFndhbnQgdG8gZG8gYSBjYWxsIG8AgScGYXBwMlxub24gYmVoYWxmIG9mAIFPBXVzZXIKMS0-SURQMjpyZXF1ZXN0AIMcEACAfwVBUFAxIHRvAIJFBVxudXNpbmcAghwGAINUBQpJRFAyLS0-MTpyZXR1cm4gYQCBOA1vcgCCdAYxLT4yOmJhY2tlbmQAgRgGAEMGACIMAIJ9CzI6T3B0aW9ubmFsCjIAgR0HZ2V0dXNlcmluZm8AKhMsXG4AgyMHIGlzIHN1cmUAgV0MJ3MgaWRlbnRpdHkAgTsISURQJ3MgdHJ1c3QAgTwIMgCBPAgAYAsKAIFQDQCBNgwKMS0tPlUAgW8ICgo&s=rose
> >
> > However i don't know which client credentials put in the query.
> > my app only knows it's own credentials (*app1_clientID* and
> > *app1_clientSecret*)
> > and wants to get an access token on the Realm2 (R2) on the clientID "
> > *secured_R2*"
> > The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
> > The alias of the broker is "*R2_for_R1_users*"
> >
> > curl -X POST \
> >     -d "client_id=*app1_clientID*" \
> >     -d "client_secret=*app1_clientSecret*" \
> >     --data-urlencode
> > "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> >     -d "subject_token="*my_token_obtained_using_app1_clientID*" \
> >     -d "subject_issuer=*R2_for_R1_users*" \
> >     --data-urlencode
> > "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
> >     -d "audience=*secured_R2*" \
> >     http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token
> >
> > I got an invalid credentials, which makes sense because the IDP2 can't
> > verify the credentials of the App1 linked to the realm1 (IDP1)
> > I know i missed something.
> > If someone could give me a hint
> >
> > Once i understand, i'm willing to propose an update on the documentation
> >
> > Thanks for any help
> >
> > Amaury
> >
> >
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From neil.youngman at wirefast.mygbiz.com  Fri Mar  8 09:35:12 2019
From: neil.youngman at wirefast.mygbiz.com (Neil Youngman)
Date: Fri, 8 Mar 2019 14:35:12 +0000
Subject: [keycloak-user] Administering keycloak without a local browser
Message-ID: <CADpEf+xVjjJg3vSmKT_esPD+TrB69bVr78UNOLYP4S7prGM=zw@mail.gmail.com>

I am trying to work through the Getting Started Guide and not getting far.

The machine I am installing on does not have a local browser. The guide
says I can add the initial admin user using the add-user-keycloak.sh
script. I have done that, but subsequent steps then assume I can get into
the console with a browser.

Is it possible to continue the set up from the command line or does almost
everything require the web interface?

After some digging I found a pointer in the mailing list to
https://www.keycloak.org/docs/3.0/server_installation/topics/network/bind-address.html.
>From that I saw that I can use ./standalone.sh -b 10.17.3.57, which will
allow me to continue with the tutorial, but I would like to know if there
is a simple way to limit access to a few other hosts?

Neil Youngman

From bruno at abstractj.org  Fri Mar  8 12:10:56 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 8 Mar 2019 14:10:56 -0300
Subject: [keycloak-user] Administering keycloak without a local browser
In-Reply-To: <CADpEf+xVjjJg3vSmKT_esPD+TrB69bVr78UNOLYP4S7prGM=zw@mail.gmail.com>
References: <CADpEf+xVjjJg3vSmKT_esPD+TrB69bVr78UNOLYP4S7prGM=zw@mail.gmail.com>
Message-ID: <20190308171055.GA15552@abstractj.org>

Hi Neil, try $KEYCLOAK_HOME/bin/standalone.sh -b 0.0.0.0. You should be
able to acces the Keycloak interface into your browser just pointing to
the IP address. Something like:

http://10.17.3.57:8080/auth

Regards your question, yes, you can do several things using the command
line. But it's just harder. Please, see our last up to date docs from here: 
https://www.keycloak.org/documentation.html

On 2019-03-08, Neil Youngman wrote:
> I am trying to work through the Getting Started Guide and not getting far.
> 
> The machine I am installing on does not have a local browser. The guide
> says I can add the initial admin user using the add-user-keycloak.sh
> script. I have done that, but subsequent steps then assume I can get into
> the console with a browser.
> 
> Is it possible to continue the set up from the command line or does almost
> everything require the web interface?
> 
> After some digging I found a pointer in the mailing list to
> https://www.keycloak.org/docs/3.0/server_installation/topics/network/bind-address.html.
> >From that I saw that I can use ./standalone.sh -b 10.17.3.57, which will
> allow me to continue with the tutorial, but I would like to know if there
> is a simple way to limit access to a few other hosts?
> 
> Neil Youngman
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From victor at dvelp.co.uk  Fri Mar  8 13:50:57 2019
From: victor at dvelp.co.uk (Victor Alejo)
Date: Fri, 8 Mar 2019 19:50:57 +0100
Subject: [keycloak-user] Keycloak Saml Client ID
Message-ID: <CALLjEAdxc+keS5vYZedDtgEu9gUBKbm2hoiiHGS0jxVmpp0vRg@mail.gmail.com>

Hi,

I am integrating Keycloak with my service using a saml client but I got all
the time *unknown login requester" *error.

My service:
- Uses Saml 2.0
- SSO URL pointing to:
https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
<https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml>

- Certificate X.509 Added Working.

*- Identity Provider Issuer:  This is the value we I know how to set. *

- The client_ID value in the saml client of Keycloak:

"Specified ID referrenced in URI and tokens. For example 'my-client'  This
is also the expected issuer value from auth request"

Anyone knows what should be in this value and how to related to the
Identity Provider Issuer?

Thank you!

From jdennis at redhat.com  Fri Mar  8 15:17:51 2019
From: jdennis at redhat.com (John Dennis)
Date: Fri, 8 Mar 2019 15:17:51 -0500
Subject: [keycloak-user] Keycloak Saml Client ID
In-Reply-To: <CALLjEAdxc+keS5vYZedDtgEu9gUBKbm2hoiiHGS0jxVmpp0vRg@mail.gmail.com>
References: <CALLjEAdxc+keS5vYZedDtgEu9gUBKbm2hoiiHGS0jxVmpp0vRg@mail.gmail.com>
Message-ID: <1142593f-a23b-d906-e0cc-6fea7ca6dd80@redhat.com>

On 3/8/19 1:50 PM, Victor Alejo wrote:
> Hi,
> 
> I am integrating Keycloak with my service using a saml client but I got all
> the time *unknown login requester" *error.
> 
> My service:
> - Uses Saml 2.0
> - SSO URL pointing to:
> https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
> <https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml>
> 
> - Certificate X.509 Added Working.
> 
> *- Identity Provider Issuer:  This is the value we I know how to set. *
> 
> - The client_ID value in the saml client of Keycloak:
> 
> "Specified ID referrenced in URI and tokens. For example 'my-client'  This
> is also the expected issuer value from auth request"
> 
> Anyone knows what should be in this value and how to related to the
> Identity Provider Issuer?

It's not related. There are two parties involved, the IdP (i.e. 
Keycloak) and the SP (i.e. your client). Each must know about the other, 
typically this done through SAML metadata exchange but Keycloak allows 
you to manually add the client if you don't have metadata.

Each party is identified by something SAML calls the entityID, it *must* 
be a URN. You will find the entityID for the SP in the EntityDescriptor 
of the clients metadata and the entityID in the EntityDescriptor in your 
Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's 
entityID and appears in the authnRequest sent by your SP to Keycloak. 
What is sent by your SP as it's entityID *must* match the entityID (i.e. 
clientid) registered in your Keycloak realm. To find the IdP entity 
description register or create your SAML SP client in your realm and 
then click on the Installation tab, then select SAML Metadata 
IDPSSODescriptor as the format. You SP may need this metadata depending 
on the client. It just so happens that the issuer field in the realms 
OpenID Endpoint Configuration matches the SAML IDP entityID, but it's 
best to pull this value from the SAML IDP metadata.


-- 
John Dennis

From ravindra.desilva at gmail.com  Sun Mar 10 21:21:25 2019
From: ravindra.desilva at gmail.com (Ravindra De Silva)
Date: Sun, 10 Mar 2019 21:21:25 -0400
Subject: [keycloak-user] Token exchange cross realm
In-Reply-To: <CAJrcDBdem0oGC+E8Lgsv9rxvp-xc0WCuMyTWTyr4PihLzKJtHQ@mail.gmail.com>
References: <CAGE7c6BaTb19MrEGiet_jvuTVZ10mQkPsDcFAZrt2A=RMpW=Bg@mail.gmail.com>
	<CAGE7c6DtMiL02QOCbiY322p3guvotNMHoXHfTRyyKX9p5sSTAA@mail.gmail.com>
	<CAJrcDBdem0oGC+E8Lgsv9rxvp-xc0WCuMyTWTyr4PihLzKJtHQ@mail.gmail.com>
Message-ID: <CABOL=-Rsqa4p2YNOWipGyCNCF1P2+Zdp4QEUSgrR437sLqWDmQ@mail.gmail.com>

Hi Pedro,

I saw this thread when about to inquire on cross realm token exchange.
My use case is quite similar. I have multiple realms (one per brand), and
all the staff users are in master realm federated from Free IPA (LDAP
integration). Staff users in master realm manage all other users in other
realms.
I tested staff (master realm) users impersonating the members (other
realms) using admin console. However, unfortunately, all our apps (browser,
native apps)  are using Resource Owner Password Credentials (ROPC) flow for
authentication. This decision is beyond my control due to legacy and
branding reasons. Anyhow, as a result, I cannot rely on Keycloak cookies
for anything and rely extensively on Keycloak APIs.

As mentioned in this thread, token exchange within the realm worked
perfectly. Then cross-realm token exchange did not work.
The first challenge I faced is in creating the token exchange policy. A
client (admin app1) from a master realm is not available to select from the
brand (member) realm. Only the clients from the same realm are available to
pick as the starting client. Therefore, a member realm client (member app1)
cannot allow a master realm client (admin app1) to exchange (at least to
create a token exchange policy).

Then I looked at ways how a staff member can authenticate against the
member realm so that both starting and target realms are the same.
I tried using identity federation. I configured member realm IDP to use
master realm broker. As a staff member, I was able to log in to member
realm through the federation, using Keycloak browser authentication
(redirects).
However, I could not figure out how to use identity brokering via API only,
since member realm OIDC endpoints are of the master realm.
So far, from what I understand identity brokering is a must for cross-realm
token exchange? However, identity brokering requires browser redirects?

I will debug Keycloak source code next week. However, please let me know if
the cross-realm token exchange is not possible when the original
authentication (starting realm) was performed using API only with ROPC flow.

Please note that I am aware that I can federate staff users to each realm
and get staff users to impersonate members in each realm. However, I would
like to avoid that duplication.
Once I am very clear about the intentions of token exchange, I can send a
PR request for the documentation.

I appreciate your help.

Thanks,
Ravindra





On Sun, Mar 10, 2019 at 9:55 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Nice ! Please, feel free to send a PR with improvements to docs.
>
> Regarding the app1 being able to exchange any token on R2 did you try to
> write a JS policy with your access constraints to the token-exchange
> permission ?
>
> On Fri, Mar 8, 2019 at 8:14 AM triton oidc <triton.oidc at gmail.com> wrote:
>
> > Hi,
> >
> > I tried giving the app1 the credentials of the R1_for_R2 (the client used
> > for the federation on the IDP2)
> > and i could exchange the token from the app1 to a token on the app2 !
> >
> > However that's far from what we wish
> > the app1 has now the power to exchange any token on R2 configured with
> the
> > Client R1_for_R2, so i can have only one application on each side with
> > token exchange activated without security issues.
> >
> > If it makes sense, i can propose an update on the documentation,
> specifying
> > the application needs the credentials of the second IDP to do the
> exchange.
> >
> > Cheers
> >
> >
> > On Wed, Mar 6, 2019 at 4:49 PM triton oidc <triton.oidc at gmail.com>
> wrote:
> >
> > > Hi Keycloak masters
> > >
> > > I've done the token exchange in the same realm,
> > > here is a link with my scenario
> > >
> > >
> >
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQIGFzIElEUAAdEDIgYXMgMgoKbm90ZSBvdmVyIFU6VGhlIHUAWQVuZCBhbGwgdGhlIGFwcCBhcmUgaW4ACgVzYW1lIHJlYWxtADALMTp0aGlzIEFwcCBpcyBPSURDIHByb3RlY3RlZApVLT4xOgCBMAVnb2VzIHRvAFAHIHdpdGggYQCBcAdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBSFndhbnQgdG8gZG8gYSBjYWxsIG8AgRsGYXBwMlxub24gYmVoYWxmIG9mAIFCBXVzZXIKMS0-SURQOnJlcXVlc3QAgmEQAH4FQVBQMSB0bwCBRwUyXG51c2luZwCCDwYAgxoFLACCNgZjbGllbnRJRACCJQUAgnYFY3JlZGVudGlhbHMKSURQLS0-MTpyZXR1cm4gYWNjZXNzAIFgCG9yAIJ6BQoxLT4yOmJhY2tlbmQAgTsGAGYGACIMAIMTCzI6T3B0aW9ubmFsCjIAgUEGZ2V0dXNlcmluZm8AKRMsXG4AgzcIaXMgc3VyZQCBfwwncyBpAIErBXR5AIFdCElEUCdzIHRydXN0AIE7BzIAgToIAF8LCjIAgU8MAIE0DAoxLS0-VQCBbQgKCg&s=rose
> > >
> > > I'm trying to do the same cross realm following this documentation
> > >
> > >
> >
> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
> > >
> > > Here is a link to my draft
> > >
> > >
> >
> https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhjaGFuZ2UgQ3Jvc3MgcmVhbG0gRHJhZnQgKEtleWNsb2FrKQoKcGFydGljaXBhbnQgVXNlciBhcyBVAAkNQXBwMSBhcyAxAB8NSURQABEFSURQAAgRMgASBzIAOBAAFAUyCgpub3RlIG92ZXIgVTpUaGUgdQB0BW5kIGFsbCB0aGUgYQBvBXJlIGluAAsFc2FtZQCBPQYAMQsxOnRoaXMgQXBwIGlzIE9JREMgcHJvdGVjdGVkClUtPjE6AIFMBWdvZXMgdG8AUQcgd2l0aCBJRABqBUFjY2VzcwCCKgdmcm9tIElEUFxuKHNpbXBsaWZpY2F0aW9uKQBeFndhbnQgdG8gZG8gYSBjYWxsIG8AgScGYXBwMlxub24gYmVoYWxmIG9mAIFPBXVzZXIKMS0-SURQMjpyZXF1ZXN0AIMcEACAfwVBUFAxIHRvAIJFBVxudXNpbmcAghwGAINUBQpJRFAyLS0-MTpyZXR1cm4gYQCBOA1vcgCCdAYxLT4yOmJhY2tlbmQAgRgGAEMGACIMAIJ9CzI6T3B0aW9ubmFsCjIAgR0HZ2V0dXNlcmluZm8AKhMsXG4AgyMHIGlzIHN1cmUAgV0MJ3MgaWRlbnRpdHkAgTsISURQJ3MgdHJ1c3QAgTwIMgCBPAgAYAsKAIFQDQCBNgwKMS0tPlUAgW8ICgo&s=rose
> > >
> > > However i don't know which client credentials put in the query.
> > > my app only knows it's own credentials (*app1_clientID* and
> > > *app1_clientSecret*)
> > > and wants to get an access token on the Realm2 (R2) on the clientID "
> > > *secured_R2*"
> > > The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
> > > The alias of the broker is "*R2_for_R1_users*"
> > >
> > > curl -X POST \
> > >     -d "client_id=*app1_clientID*" \
> > >     -d "client_secret=*app1_clientSecret*" \
> > >     --data-urlencode
> > > "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> > >     -d "subject_token="*my_token_obtained_using_app1_clientID*" \
> > >     -d "subject_issuer=*R2_for_R1_users*" \
> > >     --data-urlencode
> > > "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
> > >     -d "audience=*secured_R2*" \
> > >     http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token
> > >
> > > I got an invalid credentials, which makes sense because the IDP2 can't
> > > verify the credentials of the App1 linked to the realm1 (IDP1)
> > > I know i missed something.
> > > If someone could give me a hint
> > >
> > > Once i understand, i'm willing to propose an update on the
> documentation
> > >
> > > Thanks for any help
> > >
> > > Amaury
> > >
> > >
> > >
> > >
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From thomas.isaksen at toyota.no  Mon Mar 11 03:53:08 2019
From: thomas.isaksen at toyota.no (Konsulent Thomas Isaksen (TNO))
Date: Mon, 11 Mar 2019 07:53:08 +0000
Subject: [keycloak-user] Help problem with Bad request
Message-ID: <AM6PR06MB4168B4A35993D09AF87B33FA87480@AM6PR06MB4168.eurprd06.prod.outlook.com>

Hi,

I have this exact issue. Did you find the cause?

--
Thomas Isaksen


From mhajas at redhat.com  Mon Mar 11 04:58:44 2019
From: mhajas at redhat.com (Michal Hajas)
Date: Mon, 11 Mar 2019 09:58:44 +0100
Subject: [keycloak-user] Administering keycloak without a local browser
In-Reply-To: <CADpEf+xVjjJg3vSmKT_esPD+TrB69bVr78UNOLYP4S7prGM=zw@mail.gmail.com>
References: <CADpEf+xVjjJg3vSmKT_esPD+TrB69bVr78UNOLYP4S7prGM=zw@mail.gmail.com>
Message-ID: <CACv4bCSox_C4dn7COXPrhM49hDnycCVO_aLAt0jYmVE-uULhGQ@mail.gmail.com>

Hi,

On Fri, Mar 8, 2019 at 3:37 PM Neil Youngman <
neil.youngman at wirefast.mygbiz.com> wrote:

> I am trying to work through the Getting Started Guide and not getting far.
>
> The machine I am installing on does not have a local browser. The guide
> says I can add the initial admin user using the add-user-keycloak.sh
> script. I have done that, but subsequent steps then assume I can get into
> the console with a browser.
>
> Is it possible to continue the set up from the command line or does almost
> everything require the web interface?
>

You can use admin CLI described here:
https://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli

Admin console is just using REST endpoints provided by Keycloak, so you
basically don't need admin console at all.


> After some digging I found a pointer in the mailing list to
>
> https://www.keycloak.org/docs/3.0/server_installation/topics/network/bind-address.html
> .
> >From that I saw that I can use ./standalone.sh -b 10.17.3.57, which will
> allow me to continue with the tutorial, but I would like to know if there
> is a simple way to limit access to a few other hosts?
>
> Sorry, but I don't understand this question, could you rephrase?


> Neil Youngman
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From weissbiermuggerl at gmail.com  Mon Mar 11 06:10:28 2019
From: weissbiermuggerl at gmail.com (Matthias O)
Date: Mon, 11 Mar 2019 11:10:28 +0100
Subject: [keycloak-user] Restricting audience when using service-to-service
	calls
Message-ID: <CABU+BVtrxtT0ani4HLQ-v9KhTyR9uD_FozSXM5xfgP6fJwrhOw@mail.gmail.com>

Hi,

I have a scenario where I want allow a client (let's call it C1) to access
a service S1 which in turn needs to call a method in "internal" service S2.
So it looks kind of like this:

C1 -> S1 -> S2

The way I understand it, I would create a client scope for C1 which adds S1
and S2 as an audience to the access token.

However, I don't want C1 to be able to call the S2 services directly. So,
the access token for C1 should actually be restricted only to audience S1.

Is there any way to accomplish that? The token exchange would probably be
one solution, but as it is a technology preview I'm hesistant to use it in
production.

Thanks,
Matthias

From sthorger at redhat.com  Mon Mar 11 07:52:35 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 11 Mar 2019 12:52:35 +0100
Subject: [keycloak-user] Restricting audience when using
 service-to-service calls
In-Reply-To: <CABU+BVtrxtT0ani4HLQ-v9KhTyR9uD_FozSXM5xfgP6fJwrhOw@mail.gmail.com>
References: <CABU+BVtrxtT0ani4HLQ-v9KhTyR9uD_FozSXM5xfgP6fJwrhOw@mail.gmail.com>
Message-ID: <CAJgngAfWUHWUiOcUZD29G9qVmkDtRTUr6nQ+G+YO7vow6YUePw@mail.gmail.com>

Depends if you want S1 -> S2 to include the user details. If you do then
your options are:

* Use token exchange
* Allow C1 to invoke S2
* Firewall S2 so C1 can't access it

If you don't then S1 can use a service account to be allowed to invoke S2
without passing on the token from C1.

On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl at gmail.com> wrote:

> Hi,
>
> I have a scenario where I want allow a client (let's call it C1) to access
> a service S1 which in turn needs to call a method in "internal" service S2.
> So it looks kind of like this:
>
> C1 -> S1 -> S2
>
> The way I understand it, I would create a client scope for C1 which adds S1
> and S2 as an audience to the access token.
>
> However, I don't want C1 to be able to call the S2 services directly. So,
> the access token for C1 should actually be restricted only to audience S1.
>
> Is there any way to accomplish that? The token exchange would probably be
> one solution, but as it is a technology preview I'm hesistant to use it in
> production.
>
> Thanks,
> Matthias
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From robrecht.anrijs+keycloak at gmail.com  Mon Mar 11 08:39:19 2019
From: robrecht.anrijs+keycloak at gmail.com (robrecht anrijs)
Date: Mon, 11 Mar 2019 13:39:19 +0100
Subject: [keycloak-user] I have a question about the flow behind the link in
	the execute-actions-email
Message-ID: <CAPR1+dsuL5Ewt1En2gHSFu9CXqYfpcjfh=CSDMgbL1mMiLotOw@mail.gmail.com>

 Hi,

I've recently upgraded from keycloak 3.2.1 to 3.4.3.

I've noticed that there is change in the link that is generated in the
email. If such a mail is send with the rest-api execute-actions-email with
'UPDATE_PASSWORD' and with 'VERIFY_EMAIL'

A user (in 3.4.3) get's now the info-page, and has to click on the link
'Click here to proceed', instead of going directly to the
update-password-screen.

I've seen in the sourcecode of ExecuteActionsActionTokenHandler#handleToken
that this done on purpose.

My questions:
- why is this done? is this an oauth rule that I'm missing?
- Is it possible to prevent this extra click?
-- So yes: how
-- So no: What is the correct explanation for this feature? So I can
explain this to my customer and he understands this extra page-click.

Thx for the answers,

Kind regards,
Robrecht

From a.baroni at enteus.it  Mon Mar 11 09:50:58 2019
From: a.baroni at enteus.it (Alessio G. Baroni)
Date: Mon, 11 Mar 2019 14:50:58 +0100
Subject: [keycloak-user] Propagate updated password to external systems
Message-ID: <515946CF-9C77-4763-9CB2-8CA22684AF32@enteus.it>

Hello,

Firstly, I?m sorry if this email is a duplicate of another thread; I didn?t find it. In case, point me to that thread please.
I have this scenario (with Keycloak 3.4.3):
An user changes its password
The password must be propagated in clear text to 2 external systems (they are reachable by a REST interface)
How do I do it? I thought to develop a provider, but I don?t know which SPI to use.

Thank you very much.


Regards,
Alessio G. B.

From benjamin.huskic at thequalitygate.com  Mon Mar 11 11:32:03 2019
From: benjamin.huskic at thequalitygate.com (Benjamin Huskic)
Date: Mon, 11 Mar 2019 15:32:03 +0000
Subject: [keycloak-user] Best practice for getting roles for all users
Message-ID: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>

Hello everybody,

I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented.

I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient.

Thank you in advance
Kind regards,
Benjamin




[cid:image001.png at 01D4D841.19FC8380]

Benjamin Huski?
Founder & Solution Director

mobile: +971-5444-9-4664
email: benjamin.huskic at thequalitygate.com<mailto:benjamin.huskic at thequalitygate.com>
web: http://www.thequalitygate.com<http://www.thequalitygate.com/>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 9185 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190311/c5d20058/attachment.png 

From ben.davies14 at nhs.net  Mon Mar 11 11:52:03 2019
From: ben.davies14 at nhs.net (DAVIES, Ben (NHS DIGITAL))
Date: Mon, 11 Mar 2019 15:52:03 +0000
Subject: [keycloak-user] Login success/failure constant time
Message-ID: <1552319521805.4290@nhs.net>

Hi!


Just joined the list and looking for some answers RE: security features of Keycloak. I had a google about and a read of the docs but I couldn't find and answer to my question. Does Keycloak ensure that failed logins and successful logins take the same amount of time? I've been asked as part of an OWASP questionnaire (section V2.28 "Verify that all authentication challenges, whether successful or failed, should respond in the same average response time").


Does anyone know if this is the case, or ideally point to some documentation of this fact?


Cheers!

Ben


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


From weissbiermuggerl at gmail.com  Mon Mar 11 11:55:54 2019
From: weissbiermuggerl at gmail.com (Matthias O)
Date: Mon, 11 Mar 2019 16:55:54 +0100
Subject: [keycloak-user] Restricting audience when using
 service-to-service calls
In-Reply-To: <CAJgngAfWUHWUiOcUZD29G9qVmkDtRTUr6nQ+G+YO7vow6YUePw@mail.gmail.com>
References: <CABU+BVtrxtT0ani4HLQ-v9KhTyR9uD_FozSXM5xfgP6fJwrhOw@mail.gmail.com>
	<CAJgngAfWUHWUiOcUZD29G9qVmkDtRTUr6nQ+G+YO7vow6YUePw@mail.gmail.com>
Message-ID: <CABU+BVud+qd6TcgsZ-Uuwq5SCRdxcs3MSOQPKitz4PG2HbQc7A@mail.gmail.com>

Thanks, Stian. That's what I thought. We need the user details and
firewalling is not an option.

Do you have any concerns using the token exchange in a production system?

Am Mo., 11. M?rz 2019 um 12:52 Uhr schrieb Stian Thorgersen <
sthorger at redhat.com>:

> Depends if you want S1 -> S2 to include the user details. If you do then
> your options are:
>
> * Use token exchange
> * Allow C1 to invoke S2
> * Firewall S2 so C1 can't access it
>
> If you don't then S1 can use a service account to be allowed to invoke S2
> without passing on the token from C1.
>
> On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have a scenario where I want allow a client (let's call it C1) to access
>> a service S1 which in turn needs to call a method in "internal" service
>> S2.
>> So it looks kind of like this:
>>
>> C1 -> S1 -> S2
>>
>> The way I understand it, I would create a client scope for C1 which adds
>> S1
>> and S2 as an audience to the access token.
>>
>> However, I don't want C1 to be able to call the S2 services directly. So,
>> the access token for C1 should actually be restricted only to audience S1.
>>
>> Is there any way to accomplish that? The token exchange would probably be
>> one solution, but as it is a technology preview I'm hesistant to use it in
>> production.
>>
>> Thanks,
>> Matthias
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From Tony.Harris at oneadvanced.com  Mon Mar 11 12:03:26 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Mon, 11 Mar 2019 16:03:26 +0000
Subject: [keycloak-user] Best practice for getting roles for all users
In-Reply-To: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>
References: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>
Message-ID: <2be371c60c684566a3e043cf2ecdc3b6@SL1ACSEXCMB03.acsresource.com>

I would be interested to know this too.  In order to overcome some the performance issue we found when having to iterate over the users we used the Keycloak provider extension points to add our own custom Rest end points with our own database query to perform the lookup in one statement for all users matching the search criteria, I would sooner not do this as it just added additional overheads when we upgrade.

Regards Tony Harris

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Benjamin Huskic
Sent: 11 March 2019 15:32
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Best practice for getting roles for all users

Hello everybody,

I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented.

I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient.

Thank you in advance
Kind regards,
Benjamin




[cid:image001.png at 01D4D841.19FC8380]

Benjamin Huski?
Founder & Solution Director

mobile: +971-5444-9-4664
email: benjamin.huskic at thequalitygate.com<mailto:benjamin.huskic at thequalitygate.com>
web: http://www.thequalitygate.com<http://www.thequalitygate.com/>




________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From vikram.eswar at fleetroute.com  Mon Mar 11 12:13:58 2019
From: vikram.eswar at fleetroute.com (Vikram)
Date: Mon, 11 Mar 2019 17:13:58 +0100
Subject: [keycloak-user] Retrieving user information through the admin
	client on springboot
Message-ID: <57b61796-0799-43a1-bf3b-c442765890a6@fleetroute.com>

Hi all,

Versions in use:

    Keycloak version : 4.8.2

    Springboot adapter version: 4.8.3 FINAL

    Keycloak admin client 4.8.2 FINAL

So I am trying to get all the users that have a role "customer" and 
belong to a group "group1".

I am using the following code.

RoleResource roleResource = realmResource.roles().get("customer");
Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
ArrayList<UserRepresentation> groupCustomers = new 
ArrayList<UserRepresentation>();

for (UserRepresentation user: customers) {
 ??? ? if (user.getGroups().contains("group1") { //error
 ??? ??? ? System.out.println("group customer: " + user.getUsername());
groupCustomers.add(user);
 ??? ?? }
}

However, I get an error when I loop through the user representations to 
read the group names. I do not get the group and roles information. I 
get the username, first name and last name though.. Is it a permission 
issue ? How can I get around it ?

Regards,
Vikram

From victor at dvelp.co.uk  Mon Mar 11 14:59:58 2019
From: victor at dvelp.co.uk (Victor Alejo)
Date: Mon, 11 Mar 2019 19:59:58 +0100
Subject: [keycloak-user] Keycloak Saml Client ID
In-Reply-To: <1142593f-a23b-d906-e0cc-6fea7ca6dd80@redhat.com>
References: <CALLjEAdxc+keS5vYZedDtgEu9gUBKbm2hoiiHGS0jxVmpp0vRg@mail.gmail.com>
	<1142593f-a23b-d906-e0cc-6fea7ca6dd80@redhat.com>
Message-ID: <CALLjEAcRk-3WkmnEJCBgWfL5Ecg2vxKjESQuXDBc83XSSDPETg@mail.gmail.com>

Thank you for your reply John.

We have set the EntityId of the client as the ClientID in keycloak.
Basically anything we add in ClientID is appearing in the IDPSSODescriptor
metadata.

Now we get the respond* "Invalid Requester". *

Our client has these 3 configuration options:
- Identity Provider Issuer ->  EntityID  = ClientID Keycloak
- SSO URL -> https://domain/auth/realms/keycloak_realm/protocol/saml
- Certificate -> X.509 added.

Certificate is not failing, and SSO URL looks to redirect correctly. IdP
Issuer looks to be ok now, so I am guessing that this error is about the
mapping attributes of the user authenticating?

Thanks
Regards


On Fri, Mar 8, 2019 at 9:17 PM John Dennis <jdennis at redhat.com> wrote:

> On 3/8/19 1:50 PM, Victor Alejo wrote:
> > Hi,
> >
> > I am integrating Keycloak with my service using a saml client but I got
> all
> > the time *unknown login requester" *error.
> >
> > My service:
> > - Uses Saml 2.0
> > - SSO URL pointing to:
> >
> https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
> > <
> https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml
> >
> >
> > - Certificate X.509 Added Working.
> >
> > *- Identity Provider Issuer:  This is the value we I know how to set. *
> >
> > - The client_ID value in the saml client of Keycloak:
> >
> > "Specified ID referrenced in URI and tokens. For example 'my-client'
> This
> > is also the expected issuer value from auth request"
> >
> > Anyone knows what should be in this value and how to related to the
> > Identity Provider Issuer?
>
> It's not related. There are two parties involved, the IdP (i.e.
> Keycloak) and the SP (i.e. your client). Each must know about the other,
> typically this done through SAML metadata exchange but Keycloak allows
> you to manually add the client if you don't have metadata.
>
> Each party is identified by something SAML calls the entityID, it *must*
> be a URN. You will find the entityID for the SP in the EntityDescriptor
> of the clients metadata and the entityID in the EntityDescriptor in your
> Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's
> entityID and appears in the authnRequest sent by your SP to Keycloak.
> What is sent by your SP as it's entityID *must* match the entityID (i.e.
> clientid) registered in your Keycloak realm. To find the IdP entity
> description register or create your SAML SP client in your realm and
> then click on the Installation tab, then select SAML Metadata
> IDPSSODescriptor as the format. You SP may need this metadata depending
> on the client. It just so happens that the issuer field in the realms
> OpenID Endpoint Configuration matches the SAML IDP entityID, but it's
> best to pull this value from the SAML IDP metadata.
>
>
> --
> John Dennis
>

From jdennis at redhat.com  Mon Mar 11 15:40:49 2019
From: jdennis at redhat.com (John Dennis)
Date: Mon, 11 Mar 2019 15:40:49 -0400
Subject: [keycloak-user] Keycloak Saml Client ID
In-Reply-To: <CALLjEAcRk-3WkmnEJCBgWfL5Ecg2vxKjESQuXDBc83XSSDPETg@mail.gmail.com>
References: <CALLjEAdxc+keS5vYZedDtgEu9gUBKbm2hoiiHGS0jxVmpp0vRg@mail.gmail.com>
	<1142593f-a23b-d906-e0cc-6fea7ca6dd80@redhat.com>
	<CALLjEAcRk-3WkmnEJCBgWfL5Ecg2vxKjESQuXDBc83XSSDPETg@mail.gmail.com>
Message-ID: <4d72ca4a-6299-549e-ff89-5a0944eea729@redhat.com>

On 3/11/19 2:59 PM, Victor Alejo wrote:
> Thank you for your reply John.
> 
> We have set the EntityId of the client as the ClientID in keycloak.
> Basically anything we add in ClientID is appearing in the 
> IDPSSODescriptor metadata.

IDPSSODescriptor != SPSSODescriptor

Your client of Keycloak is a SAML SP, therefore any changes you make to 
the *client* should only be reflected in the SPSSODescriptor *not* the 
IDPSSODescriptor.

> 
> Now we get the respond*"Invalid Requester". *

You probably still have a problem with mismatched entityID's. There are 
two parties involved, Keycloak as the IdP and your client as an SP. Each 
*must* know it's own entityID *and* the entityID of the connecting 
party. That's how they identify each other.

> 
> Our client has these 3 configuration options:
> - Identity Provider Issuer ->? EntityID? = ClientID Keycloak

If you're saying you've entered the clientid as the IdP entityID that's 
incorrect. Make sure you understand who is playing the role of IdP and 
SP (see above).

> - SSO URL -> https://domain/auth/realms/keycloak_realm/protocol/saml
> - Certificate -> X.509 added.
> 
> Certificate is not failing, and SSO URL looks to redirect correctly. IdP 
> Issuer looks to be ok now, so I am guessing that this error is about the 
> mapping attributes of the user authenticating?

No, you're not even getting that far. First Keycloak has to lookup up 
the client trying to connect to it and validate it. That lookup and 
validation is going to fail if both parties don't agree on the 
entityID's in use.

It's easy to see what entityID's are in use by using a browser extension 
that captures and displays SAML messages. The following doc shows how to 
use those extentions. The doc was written for a different SAML SP but 
the issues are the same.

https://github.com/Uninett/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc#trace_saml_flow

Sections 4.7 and4.9 in the doc are relevant to entityID's and the format 
of the authnRequest, once again, although this is a different SAML SP 
those sections are generic SAML.

https://github.com/Uninett/mod_auth_mellon/blob/master/doc/user_guide/mellon_user_guide.adoc

> 
> Thanks
> Regards
> 
> 
> On Fri, Mar 8, 2019 at 9:17 PM John Dennis <jdennis at redhat.com 
> <mailto:jdennis at redhat.com>> wrote:
> 
>     On 3/8/19 1:50 PM, Victor Alejo wrote:
>      > Hi,
>      >
>      > I am integrating Keycloak with my service using a saml client but
>     I got all
>      > the time *unknown login requester" *error.
>      >
>      > My service:
>      > - Uses Saml 2.0
>      > - SSO URL pointing to:
>      >
>     https://sso.develop.stentle.com/auth/realms/my_realm_keycloak_app/protocol/saml
>      >
>     <https://sso.develop.stentle.com/auth/realms/customer-support/protocol/saml>
>      >
>      > - Certificate X.509 Added Working.
>      >
>      > *- Identity Provider Issuer:? This is the value we I know how to
>     set. *
>      >
>      > - The client_ID value in the saml client of Keycloak:
>      >
>      > "Specified ID referrenced in URI and tokens. For example
>     'my-client'? This
>      > is also the expected issuer value from auth request"
>      >
>      > Anyone knows what should be in this value and how to related to the
>      > Identity Provider Issuer?
> 
>     It's not related. There are two parties involved, the IdP (i.e.
>     Keycloak) and the SP (i.e. your client). Each must know about the
>     other,
>     typically this done through SAML metadata exchange but Keycloak allows
>     you to manually add the client if you don't have metadata.
> 
>     Each party is identified by something SAML calls the entityID, it
>     *must*
>     be a URN. You will find the entityID for the SP in the EntityDescriptor
>     of the clients metadata and the entityID in the EntityDescriptor in
>     your
>     Keycloak's realm metadata. Keycloak's clientid *is* the SAML SP's
>     entityID and appears in the authnRequest sent by your SP to Keycloak.
>     What is sent by your SP as it's entityID *must* match the entityID
>     (i.e.
>     clientid) registered in your Keycloak realm. To find the IdP entity
>     description register or create your SAML SP client in your realm and
>     then click on the Installation tab, then select SAML Metadata
>     IDPSSODescriptor as the format. You SP may need this metadata depending
>     on the client. It just so happens that the issuer field in the realms
>     OpenID Endpoint Configuration matches the SAML IDP entityID, but it's
>     best to pull this value from the SAML IDP metadata.
> 
> 
>     -- 
>     John Dennis
> 


-- 
John Dennis

From 4integration at gmail.com  Tue Mar 12 09:58:27 2019
From: 4integration at gmail.com (4 Integration)
Date: Tue, 12 Mar 2019 14:58:27 +0100
Subject: [keycloak-user] Release notes 5.0.0?
Message-ID: <CAPJA60uHfnEd4YpAr3fBTqeHBJ4JGCYPXJCeGqgCr6Qkx+-fGA@mail.gmail.com>

Hi,

I cannot find release notes for 5.0.0, where can I find it?
https://www.keycloak.org/docs/latest/release_notes/index.html

/ Joacim

From bruno at abstractj.org  Tue Mar 12 11:35:03 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 12 Mar 2019 12:35:03 -0300
Subject: [keycloak-user] Authentication failed:
 org.jvnet.libpam.PAMException
In-Reply-To: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
Message-ID: <20190312153503.GA25306@abstractj.org>

Hi Mizuki, 

In the scenario you described Keycloak just relies on PAM to
authenticate the user.  What I'd do before configure Keycloak is to try
dbus-send and pamtester, just to make sure that my setup works.

So here's my suggestion, try to run pamtester -v keycloak youruser.  If
pamtester does not authenticate your user, there's a chance that
something is wrong with your setup. Certainly worth to review our
docs[1].

[1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd

On 2019-03-05, mizuki wrote:
> Hi,
> 
> We are currently evaluating keycloak as a possible authentication mechanism
> deployed to our facility.
> We use kerberos for user authentication with FreeIPA and configured sssd
> for user federation in keycloak (follow the official document both from
> keycloak and freeipa.org)
> One of the requirement we desire is to enable kerboros password for SSH
> login and enabled 'otp' for HTTP based applications.
> 
> To do so,
> 1. We enabled both user-auth-types for the user:
> - password
> - password + otp
> 
> 2. Created HBAC rules in IPA, allowing keycloak server access for following
> services: (I purposely did not enable 'otp' at this point as I want to
> verify both 'password' and 'otp' shall work)
> - keycloak
> - sshd
> 
> 3. Confimred sshd worked with both 'password' and 'otp' types via PAM/SSSD,
> then I went ahead and accessed URL that is protected by keycloak,
> 'password' works but 'otp' won't, the following ERRORs were seen in
> keycloak's server.log:
> -----------
> 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
> type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
> error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
> redirect_uri=https://www.example.com/secure/
> <https://vproxytest03.racf.bnl.gov/secure/>*,
> code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> 2019-03-04 17:01:43,033 ERROR
> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> failed : Permission denied
>     at org.jvnet.libpam.PAM.check(PAM.java:113)
>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>     at
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> 
>     at
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> 
>     at
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> 
>     at
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> 
>     at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> 
>     at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> 
>     at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> 
>     at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> 
>     at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> 
>     at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> 
>     at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> 
>     at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> 
>     at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> 
>     at
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> 
>     at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> 
>     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>     at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> 
>     at java.lang.reflect.Method.invoke(Method.java:508)
>     at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> Source)
>     at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> 
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> 
>     at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> 
>     at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> Source)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> Source)
>     at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> 
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> 
>     at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> 
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> 
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> 
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>     at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> 
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> 
>     at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> 
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> 
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> 
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> 
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> 
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 
>     at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
>     at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> 
>     at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> 
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
>     at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> 
>     at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> 
>     at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> 
>     at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> 
>     at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> 
>     at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> 
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
>     at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
>     at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> 
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> 
>     at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> 
>     at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> 
>     at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> 
>     at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> 
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> 
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> 
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> 
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> Source)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> 
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> 
>     at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>     at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>     at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 
>     at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 
>     at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 
>     at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 
>     at java.lang.Thread.run(Thread.java:812)
> ------------------
> 
> Interesting thing is keycloak handles OTP just fine if I have
> 'password+otp' only checked on,  then we won't be able to log onto the
> machines via SSH using password, that defeats our purposes.
> 
> I tested different version of JAVA and the latest keycloak (4.8.3) version
> (on REHL 7), all got the same results.
> I'm wondering if this is more likely a bug or I missed something.
> I'd appreciate if someone can advice what the approach is.
> 
> Thank you very much.
> 
> Mizuki
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From rafaelweingartner at gmail.com  Tue Mar 12 12:19:24 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Tue, 12 Mar 2019 13:19:24 -0300
Subject: [keycloak-user] Realm admins that can only create users (but not
	list/query them)
Message-ID: <CAG97raf6ek6mHauKsr8Q-0R8Z1icMwZ6v_ihcCW_4FcWASmASA@mail.gmail.com>

Hello Keycloakers,
I was wondering, is it possible to create a policy to authorize certain
users to create other users, but not list the users that we already have in
the realm?

I know that I can control the groups listed for user-group management for
certain realm admins, but we want/need something different. We need to
allow specific users  to add new users and assign them to groups (some
restricted groups). Ideally, they should be able to manage all users in its
own group as well.

Is something like this possible? I am reading about authorization scopes,
and authorization service, but I am kind of lost on how to manage scope and
policies to keycloak actions (create/delete/update/list
resources[users/clients/groups]).

-- 
Rafael Weing?rtner

From kapilkumarjoshi001 at gmail.com  Tue Mar 12 13:54:35 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Tue, 12 Mar 2019 23:24:35 +0530
Subject: [keycloak-user] Not able to add roles
Message-ID: <CAMLZ2vkxYsayn4t4AyugHwbYJ2YhR5x0bjqW3=GajptURsOaQA@mail.gmail.com>

Hi team,

I have a user with roles of view realm, manage users and manage
authorization. I logged in with the above user credentials and  tried to
access admin console, there I could to navigate to roles section, could see
the roles and edit too, BUT cannot ADD new roles,v as well as cannot add
attributes to the existing roles. Can some one from team guide me to
provide which client role to this logged in user, such that I can enable
ADD roles button and add attributes to the existing roles.


Thanks
Kapil

From felix at 0b1.se  Tue Mar 12 17:04:32 2019
From: felix at 0b1.se (Felix Gustavsson)
Date: Tue, 12 Mar 2019 22:04:32 +0100
Subject: [keycloak-user] =?utf-8?q?Custom_error_message_in_=22Authenticato?=
 =?utf-8?q?r_Execution=22_Script?=
Message-ID: <4571-5c881f00-19-3c201ac0@64876868>


Hi

I'm trying to create a Browser Authentication flow in Keycloak which rejects the user if it does not have the required role, however I am unable to show the user a customized message on a rendered error page. How does one show a custom error message defined in the script?

I've been able to show custom error in JSON using the code below, however I would like it to be rendered using for example the error.ftl template i.e keycloak/themes/src/main/resources/theme/base/login/error.ftl

AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
ErrorRepresentation = Java.type("org.keycloak.representations.idm.ErrorRepresentation");
Response = Java.type("javax.ws.rs.core.Response");
MediaType = Java.type("javax.ws.rs.core.MediaType");

function authenticate(context) {
??? /* CODE FOR AUTH CHECK */
??? if (authShouldFail) {
??????? var errorRep = new ErrorRepresentation();
??????? errorRep.setErrorMessage("You are not authorized to use this application");
??????? var response = Response.status(401).entity(errorRep).type(MediaType.APPLICATION_JSON_TYPE ).build();
??????? LOG.info(script.name + " failed auth for: " + username);
??????? context.failure(AuthenticationFlowError.INVALID_USER, response);
??????? return;
??? }
??? context.success();
}

From anandxmj at gmail.com  Tue Mar 12 17:37:31 2019
From: anandxmj at gmail.com (Anand Joshi)
Date: Tue, 12 Mar 2019 17:37:31 -0400
Subject: [keycloak-user] IDP Mapper Mapping User defined attribute to JWT
	Claim
Message-ID: <CAPjXJe9nvHcS5s77Lby_ivjv5gkh=WLWMmEgaYDiUa9r8ubz4g@mail.gmail.com>

Hello,

I am using KeyCloak as IDP allowing my application to login with Google,
Facebook or Linkedin
I have and in-house API service which maintains certain IDs which can be
looked up with Google, Facebook, Linked in usernames. I want to make these
Ids available as part of the Custom JWT Claim.

I want to know if I can handle this solely at IDP Mapper level without
introducing any Client specific mapper. This way I can avoid replicating
mappers for every client i create if I can achive it at the IDP Mapper
Level itself.

Please let me know

Anand

From celso.agra at gmail.com  Tue Mar 12 18:03:51 2019
From: celso.agra at gmail.com (Celso Agra)
Date: Tue, 12 Mar 2019 19:03:51 -0300
Subject: [keycloak-user] Attribute tab for Client
Message-ID: <CAOFYJDtV_n9HHxMg0F4N_hykRR__eMNnMCFRjg8a5TDYykL4=g@mail.gmail.com>

Hi all,

Just to start a discussion here...
What about to create an Attribute tab for Clients? I believe it would be
interested, if you are planning to add more info about your Client.


Best regards,

-- 
---
*Celso Agra*

From David.Erie at datapath.com  Tue Mar 12 18:20:55 2019
From: David.Erie at datapath.com (David Erie (US))
Date: Tue, 12 Mar 2019 22:20:55 +0000
Subject: [keycloak-user] Priority order of OIDC Token mappings
Message-ID: <SN6PR17MB2112010289F66B00C0A66AD4E3490@SN6PR17MB2112.namprd17.prod.outlook.com>

Hi,
I am trying to create two sets of OIDC Token mappers in my OIDC client. One set are "user attribute" mappers, and the other set are "hardcoded" mappers. I want the hardcoded ones to take precedence over the user attribute ones. However, the Priority Order seems to be random. It's not based on the type of mapper as the documentation and initial experimentation led me to believe, and it's not based on the order in which they are created. How can I guaranteed the order in which these mappers are applied?

Thank you for the help,
Dave

From gkannan35 at gmail.com  Tue Mar 12 18:59:48 2019
From: gkannan35 at gmail.com (gowtham kannan)
Date: Tue, 12 Mar 2019 18:59:48 -0400
Subject: [keycloak-user] Idp hint in keyclok
Message-ID: <CAF+D5rnWVg7-fUz+SQoFgiOppmpV7H2L7dO+hGqYQ1rJr=wYow@mail.gmail.com>

Hi everyone.
We are trying to integrate keycloak to Galaxy (
https://github.com/galaxyproject). In galaxy, we are supposed to include a
custom identity platform (like CILogon) which provides federated identity
managements for the users. But our requirement is that we need to restrict
access to only certain research collaborations or federated authentication
providers ; but we if enroll CILogon as an idp provider in keycloak, then
we are providing access to all the authentication providers supported by
CILogon. The other alternative is we create IDPs for each federated
identity within our keycloak server, but it might lead to a poor management
of the keycloak server.

So, is their a way to give the auth-provider url after the user has
selected the specific authentication scheme from the client (dynamic idp
hinting)?

Thanks a lot in advance.

-- 
Regards,
Gowtham Kannan B
Graduate Student, Computer Science
Indiana university, Bloomington

From niko at n-k.de  Wed Mar 13 04:45:27 2019
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Wed, 13 Mar 2019 09:45:27 +0100
Subject: [keycloak-user] Monitoring Keycloak
Message-ID: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>

Hi,

is there any documentation about how and what is possible to monitor in Keycloak via an API or something?
I don't find anything about a special Keycloak monitoring in the docs.
Customers are in general curious about the current session count, cache size (and memory allocation) of Infinispan, error rates, etc.

Do we have to use standard Wildfly/Infinispan APIs? JMX?
How do others solve this? Any ideas?

Thanks and regards,
- Niko



From vikram.eswar at fleetroute.com  Wed Mar 13 05:13:58 2019
From: vikram.eswar at fleetroute.com (Vikram)
Date: Wed, 13 Mar 2019 10:13:58 +0100
Subject: [keycloak-user] Retrieving user information through the admin
	client on springboot
Message-ID: <db108426-1f1b-6140-9bcc-f490ddc1e774@fleetroute.com>

Hi all,

Versions in use:
     
     Springboot version : 2.1.3 FINAL

    ?Keycloak version : 4.8.2

     Springboot adapter version: 4.8.3 FINAL

     Keycloak admin client 4.8.2 FINAL

So I am trying to get all the users that have a role "customer" and
belong to a group "group1".

I am using the following code.

RoleResource roleResource = realmResource.roles().get("customer");
Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();

for (UserRepresentation user: customers) {
  ??? ? if (user.getGroups().contains("group1") { //error
  ??? ??? ? System.out.println("group customer: " + user.getUsername());
            groupCustomers.add(user);
  ??? ?? }
}

However, I get an error when I loop through the user representations to
read the group names. I do not get the group and roles information. I
get the username, first name and last name though.. Is it a permission
issue ? How can I get around it ?

Regards,
Vikram


From wim.vandenhaute at gmail.com  Wed Mar 13 08:59:46 2019
From: wim.vandenhaute at gmail.com (Wim Vandenhaute)
Date: Wed, 13 Mar 2019 13:59:46 +0100
Subject: [keycloak-user] Password policy update automatic trigger
Message-ID: <CAAmmoOonnc--3a-H_TXoEOCVeDuxEyYWmvgCny61+o9q8VgUqw@mail.gmail.com>

Hello list,

In the documentation, it is stated that @
https://www.keycloak.org/docs/latest/server_admin/index.html#_password-policies

"If the password policy is updated, an Update Password action must be set
for every user. An automatic trigger is scheduled as a future enhancement."

I was wondering if there is any schedule of such a feature in the pipeline?

Related to that, might there be an enhancment in the pipeline to force a
keycloak user to update his password when his current credential violates
the policy?
This if no automatic trigger was done when the password policy was updated.

I realize this can be easily added via a custom user storage provider
implementing the CredentialInputValidator SPI by adding something like

private boolean isValidKeycloakPassword(String username, String password) {
        PasswordPolicyManagerProvider provider =
keycloakSession.getProvider(PasswordPolicyManagerProvider.class);
        return provider.validate(username, password) == null;
    }

But might this not be a valid, possibly configurable, option?

From ssilvert at redhat.com  Wed Mar 13 09:10:18 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 13 Mar 2019 09:10:18 -0400
Subject: [keycloak-user] Not able to add roles
In-Reply-To: <CAMLZ2vkxYsayn4t4AyugHwbYJ2YhR5x0bjqW3=GajptURsOaQA@mail.gmail.com>
References: <CAMLZ2vkxYsayn4t4AyugHwbYJ2YhR5x0bjqW3=GajptURsOaQA@mail.gmail.com>
Message-ID: <a6ce7c46-ef6c-a012-9a2a-e8739d1cc0bc@redhat.com>

For the ability to add roles, the user needs "manage-realm" permission.? 
Looks like the same one turns on ability to add attributes to roles as well.

Stan

On 3/12/2019 1:54 PM, kapil joshi wrote:
> Hi team,
>
> I have a user with roles of view realm, manage users and manage
> authorization. I logged in with the above user credentials and  tried to
> access admin console, there I could to navigate to roles section, could see
> the roles and edit too, BUT cannot ADD new roles,v as well as cannot add
> attributes to the existing roles. Can some one from team guide me to
> provide which client role to this logged in user, such that I can enable
> ADD roles button and add attributes to the existing roles.
>
>
> Thanks
> Kapil
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jan.lengenfeld at gbtec.de  Wed Mar 13 12:28:57 2019
From: jan.lengenfeld at gbtec.de (Lengenfeld, Jan)
Date: Wed, 13 Mar 2019 16:28:57 +0000
Subject: [keycloak-user] Performance issues when creating users with
	keycloak-admin-client
Message-ID: <89792861e9264311a193263be3531476@gbtec.de>

Hello,


are there any performance issues known regarding the following method?

    Keycloak.realm("someRealm").users().create(someUserRepresentation);


We want to create a batch of users in a loop. After every tenth user it lasts approximately 10 minutes for the call to return.


Is this behavior known or did we miss to configure something?


Kind regards


Jan Lengenfeld

From jens.bissinger at coliquio.de  Wed Mar 13 09:38:14 2019
From: jens.bissinger at coliquio.de (Jens Bissinger)
Date: Wed, 13 Mar 2019 13:38:14 +0000
Subject: [keycloak-user] Keycloak cluster communication not working properly
Message-ID: <4342F4B8-BDCA-405F-AF58-7735F0B6558E@coliquio.de>

Hi,

we have a keycloak instance running as docker container in our AWS ECS docker environment.

For single instance this setup works great, but we failed to enhance it with a second instance for HA.

Problem: We cannot authenticate in one of instances behind the load balancer as soon as we have more than one keycloak instance.

Cluster setup:

- Keycloak v5.0.0 (docker image quay.io/keycloak/keycloak:5.0.0)
- Containers are behind AWS ALB load balancers with round-robin but without sticky sessions (the latter is important for our setup)
- JGroups with JDBC_PING configured and instances properly add/remove themselve from the configured MySQL table
- Containers run on separete EC2 hosts, TCP communication between containers is possible (port 7600 exposed also on hosts)
- Cache owners for all distributed caches are set to 2 (we also tested with 1 but without any different results)

Startup logs from infinispan look fine:

- On startup we see log message that cluster nodes can discover each other
  "ISPN000094: Received new cluster view for channel ejb: [ip-10-129-2-31.eu-central-1.compute.internal|1] (2) [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]"
- After that also infinispan rebalancing happens
  "[Context=offlineClientSessions] ISPN100010: Finished rebalance with members [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]?

Analysis (so far):

- The problem is obviously because authentication starts on node 1. Due to round robin authentication will be continued on node 2 and this fails because node 2 does not know about the authentication session started on node 1.
- According to the documentation there should be a lookup from node 2 in the cluster for started authentication session. Seems like this is not happening, but we cannot see any log related to this.
- Also regular sessions are not distributed in the cache. We tested this running only 1 node to do the authentication and then spinning up a second node and doing a fail-over to the new node. Afterwards the regular session was gone (we are logged out).

Thank you very much.

Regards
Jens Bissinger



From pjain at rivetlogic.com  Wed Mar 13 14:49:35 2019
From: pjain at rivetlogic.com (Paras Jain)
Date: Wed, 13 Mar 2019 14:49:35 -0400
Subject: [keycloak-user] How to deploy new keycloak.json
Message-ID: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>

Hi,

I am running keycloak in standalone mode. As per
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
I have copied the client config from admin console and created a
keycloak.json. But I don't know where to put this file for it to take
effect. Is there any documentation for that?

-- 
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole 
use of the intended recipient(s) and may contain confidential and 
privileged information or otherwise be protected by law. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies and 
the original message.

From bruno at abstractj.org  Wed Mar 13 15:08:39 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 13 Mar 2019 16:08:39 -0300
Subject: [keycloak-user] How to deploy new keycloak.json
In-Reply-To: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
References: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
Message-ID: <20190313190839.GA31505@abstractj.org>

Hi Paras, I'd suggest to look at the quickstarts. They may provide some
guidance https://github.com/keycloak/keycloak-quickstarts.

Also, the latest docs are here: https://www.keycloak.org/documentation.html


On 2019-03-13, Paras Jain wrote:
> Hi,
> 
> I am running keycloak in standalone mode. As per
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> I have copied the client config from admin console and created a
> keycloak.json. But I don't know where to put this file for it to take
> effect. Is there any documentation for that?
> 
> -- 
> CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole 
> use of the intended recipient(s) and may contain confidential and 
> privileged information or otherwise be protected by law. Any unauthorized 
> review, use, disclosure or distribution is prohibited. If you are not the 
> intended recipient, please contact the sender and destroy all copies and 
> the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From tkyjovsk at redhat.com  Wed Mar 13 19:21:50 2019
From: tkyjovsk at redhat.com (Tomas Kyjovsky)
Date: Wed, 13 Mar 2019 19:21:50 -0400 (EDT)
Subject: [keycloak-user] Performance issues when creating users
	with	keycloak-admin-client
In-Reply-To: <89792861e9264311a193263be3531476@gbtec.de>
References: <89792861e9264311a193263be3531476@gbtec.de>
Message-ID: <1316046270.8448290.1552519310768.JavaMail.zimbra@redhat.com>

Hello Jan,

I'm not aware of any issues. This should work normally.

We are using the REST client to generate data for our performance testing. I've just tried and successully generated 10k users in about 1 minute (with the current upstream/master version of the project).

Can you check configuration of your data source connection pool? In our performace testing we use MariaDB datasource with: min-pool-size=10, max-pool-size=100, prefill=true, flush-strategy=IdleConnections, prepared-statement-cache-size=100.

Does Keycloak server log give any hints about what could be going wrong there? Or perhaps your database server log?


Tomas Kyjovsky


----- Original Message -----
> Hello,
> 
> 
> are there any performance issues known regarding the following method?
> 
>     Keycloak.realm("someRealm").users().create(someUserRepresentation);
> 
> 
> We want to create a batch of users in a loop. After every tenth user it lasts
> approximately 10 minutes for the call to return.
> 
> 
> Is this behavior known or did we miss to configure something?
> 
> 
> Kind regards
> 
> 
> Jan Lengenfeld
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From tkyjovsk at redhat.com  Wed Mar 13 19:52:18 2019
From: tkyjovsk at redhat.com (Tomas Kyjovsky)
Date: Wed, 13 Mar 2019 19:52:18 -0400 (EDT)
Subject: [keycloak-user] Having trouble with Keycloak Performance
 Testsuite
In-Reply-To: <OSBPR01MB2149006D7288A57E191D591FB14C0@OSBPR01MB2149.jpnprd01.prod.outlook.com>
References: <OSBPR01MB2149006D7288A57E191D591FB14C0@OSBPR01MB2149.jpnprd01.prod.outlook.com>
Message-ID: <2140420355.8450599.1552521138171.JavaMail.zimbra@redhat.com>

Hello Zak,

I think I can see the problem. There is a known issue with deadlocks on MariaDB (used in the perf testsuite) when concurrently adding many users who have multiple attributes. The `1r_10c_100u` dataset contains 100 users each having 3 attributes. I forgot about this bug when I was updating the README, sorry.

Please run the data generation command without the "-DnumOfWorkers=10" parameter. That should work. If not, please let me know.

  mvn verify -Pgenerate-data -Ddataset=1r_10c_100u 


CC: Marek, we spoke about this bug a while ago, is there a JIRA for it? I only found KEYCLOAK-2974 which is already closed, perhaps I should create a new one since this problem is still present.


Regards,
Tomas Kyjovsky


----- Original Message -----
> Hello,
> 
> I'm having trouble getting the test suite to work. I'm following the Getting
> started for the impatient instructions.
> 
> I am running:
> centos 7
> docker version 1.13.1, build 07f3374/1.13.1
> docker-compose version 1.18.0, build 8dd22a9
> openjdk version "1.8.0_201"
> maven 3.5.4
> 
> Going through the steps I am successful until mvn verify -Pgenerate-data
> -Ddataset=1r_10c_100u -DnumOfWorkers=10
> I have tried maven 3.1.1, 3.2.5, 3.6.0 and haven't gotten as far. Below is
> the output with maven 3.5.4.
> The first error encountered is 500, is this a permissions issue or am I
> missing some software? Any help is appreciated.
> 
> reated entities:
> Realm                1
> 
> 14:35:23 Time: +5 s
> Created entities:
> Realm                1
> RealmRole            10
> Client               10
> ClientRole           100
> 
> 14:35:24 Time: +6 s
> Created entities:
> Realm                1
> RealmRole            10
> Client               10
> ClientRole           100
> User                 3
> 
> 14:35:24 Error occured: javax.ws.rs.WebApplicationException: Create method
> returned status Internal Server Error (Code: 500); expected status: Created
> (201)
> 14:35:24 Exception thrown from executor service. Shutting down.
> Exception in thread "main" java.lang.RuntimeException:
> javax.ws.rs.WebApplicationException: Create method returned status Internal
> Server Error (Code: 500); expected status: Created (201)
>         at
>         org.keycloak.performance.dataset.DatasetLoader.processEntities(DatasetLoader.java:149)
>         at
>         org.keycloak.performance.dataset.DatasetLoader.processDataset(DatasetLoader.java:75)
>         at
>         org.keycloak.performance.dataset.DatasetLoader.main(DatasetLoader.java:35)
> Caused by: javax.ws.rs.WebApplicationException: Create method returned status
> Internal Server Error (Code: 500); expected status: Created (201)
>         at
>         org.keycloak.admin.client.CreatedResponseUtil.getCreatedId(CreatedResponseUtil.java:43)
>         at
>         org.keycloak.performance.dataset.Creatable.createCheckingForConflict(Creatable.java:51)
>         at
>         org.keycloak.performance.dataset.Creatable.createOrUpdateExisting(Creatable.java:69)
>         at
>         org.keycloak.performance.dataset.DatasetLoader.lambda$processEntities$0(DatasetLoader.java:118)
>         at
>         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at
>         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> [ERROR] Command execution failed.
> org.apache.commons.exec.ExecuteException: Process exited with an error: 1
> (Exit value: 1)
>     at org.apache.commons.exec.DefaultExecutor.executeInternal
>     (DefaultExecutor.java:404)
>     at org.apache.commons.exec.DefaultExecutor.execute
>     (DefaultExecutor.java:166)
>     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804)
>     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751)
>     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
>     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>     (DefaultBuildPluginManager.java:137)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:208)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:154)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:146)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:117)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:81)
>     at
>     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>     (SingleThreadedBuilder.java:56)
>     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>     (LifecycleStarter.java:128)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke
>     (NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke
>     (DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke (Method.java:498)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>     (Launcher.java:289)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>     (Launcher.java:229)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>     (Launcher.java:415)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.main
>     (Launcher.java:356)
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Reactor Summary:
> [INFO]
> [INFO] Keycloak Performance TestSuite 6.0.0-SNAPSHOT ...... SUCCESS [  1.317
> s]
> [INFO] Keycloak Performance TestSuite - Keycloak Server ... SUCCESS [  2.089
> s]
> [INFO] Keycloak Performance TestSuite - Wildfly ModCluster Load Balancer
> SUCCESS [  0.873 s]
> [INFO] Keycloak Performance TestSuite - Infinispan Server . SUCCESS [  1.358
> s]
> [INFO] Keycloak Performance TestSuite - Tests 6.0.0-SNAPSHOT FAILURE [ 12.429
> s]
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 18.582 s
> [INFO] Finished at: 2019-03-07T14:35:24-07:00
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec
> (load-data) on project performance-tests: Command execution failed.: Process
> exited with an error: 1 (Exit value: 1) -> [Help 1]
> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute
> goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec (load-data) on project
> performance-tests: Command execution failed.
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:213)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:154)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:146)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:117)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:81)
>     at
>     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>     (SingleThreadedBuilder.java:56)
>     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>     (LifecycleStarter.java:128)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke
>     (NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke
>     (DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke (Method.java:498)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>     (Launcher.java:289)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>     (Launcher.java:229)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>     (Launcher.java:415)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.main
>     (Launcher.java:356)
> Caused by: org.apache.maven.plugin.MojoExecutionException: Command execution
> failed.
>     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:326)
>     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>     (DefaultBuildPluginManager.java:137)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:208)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:154)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:146)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:117)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:81)
>     at
>     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>     (SingleThreadedBuilder.java:56)
>     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>     (LifecycleStarter.java:128)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke
>     (NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke
>     (DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke (Method.java:498)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>     (Launcher.java:289)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>     (Launcher.java:229)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>     (Launcher.java:415)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.main
>     (Launcher.java:356)
> Caused by: org.apache.commons.exec.ExecuteException: Process exited with an
> error: 1 (Exit value: 1)
>     at org.apache.commons.exec.DefaultExecutor.executeInternal
>     (DefaultExecutor.java:404)
>     at org.apache.commons.exec.DefaultExecutor.execute
>     (DefaultExecutor.java:166)
>     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804)
>     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751)
>     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
>     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>     (DefaultBuildPluginManager.java:137)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:208)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:154)
>     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>     (MojoExecutor.java:146)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:117)
>     at
>     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>     (LifecycleModuleBuilder.java:81)
>     at
>     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>     (SingleThreadedBuilder.java:56)
>     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>     (LifecycleStarter.java:128)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>     at sun.reflect.NativeMethodAccessorImpl.invoke
>     (NativeMethodAccessorImpl.java:62)
>     at sun.reflect.DelegatingMethodAccessorImpl.invoke
>     (DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke (Method.java:498)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>     (Launcher.java:289)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>     (Launcher.java:229)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>     (Launcher.java:415)
>     at org.codehaus.plexus.classworlds.launcher.Launcher.main
>     (Launcher.java:356)
> [ERROR]
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, please
> read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
> [ERROR]
> [ERROR] After correcting the problems, you can resume the build with the
> command
> [ERROR]   mvn <goals> -rf :performance-tests
> 
> 
> Zak
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From tkyjovsk at redhat.com  Wed Mar 13 20:20:50 2019
From: tkyjovsk at redhat.com (Tomas Kyjovsky)
Date: Wed, 13 Mar 2019 20:20:50 -0400 (EDT)
Subject: [keycloak-user] Having trouble with Keycloak Performance
 Testsuite
In-Reply-To: <2140420355.8450599.1552521138171.JavaMail.zimbra@redhat.com>
References: <OSBPR01MB2149006D7288A57E191D591FB14C0@OSBPR01MB2149.jpnprd01.prod.outlook.com>
	<2140420355.8450599.1552521138171.JavaMail.zimbra@redhat.com>
Message-ID: <1271751870.8451153.1552522850232.JavaMail.zimbra@redhat.com>

(Adding Marek P. to cc.)

----- Original Message -----
> Hello Zak,
> 
> I think I can see the problem. There is a known issue with deadlocks on
> MariaDB (used in the perf testsuite) when concurrently adding many users who
> have multiple attributes. The `1r_10c_100u` dataset contains 100 users each
> having 3 attributes. I forgot about this bug when I was updating the README,
> sorry.
> 
> Please run the data generation command without the "-DnumOfWorkers=10"
> parameter. That should work. If not, please let me know.
> 
>   mvn verify -Pgenerate-data -Ddataset=1r_10c_100u
> 
> 
> CC: Marek, we spoke about this bug a while ago, is there a JIRA for it? I
> only found KEYCLOAK-2974 which is already closed, perhaps I should create a
> new one since this problem is still present.
> 
> 
> Regards,
> Tomas Kyjovsky
> 
> 
> ----- Original Message -----
> > Hello,
> > 
> > I'm having trouble getting the test suite to work. I'm following the
> > Getting
> > started for the impatient instructions.
> > 
> > I am running:
> > centos 7
> > docker version 1.13.1, build 07f3374/1.13.1
> > docker-compose version 1.18.0, build 8dd22a9
> > openjdk version "1.8.0_201"
> > maven 3.5.4
> > 
> > Going through the steps I am successful until mvn verify -Pgenerate-data
> > -Ddataset=1r_10c_100u -DnumOfWorkers=10
> > I have tried maven 3.1.1, 3.2.5, 3.6.0 and haven't gotten as far. Below is
> > the output with maven 3.5.4.
> > The first error encountered is 500, is this a permissions issue or am I
> > missing some software? Any help is appreciated.
> > 
> > reated entities:
> > Realm                1
> > 
> > 14:35:23 Time: +5 s
> > Created entities:
> > Realm                1
> > RealmRole            10
> > Client               10
> > ClientRole           100
> > 
> > 14:35:24 Time: +6 s
> > Created entities:
> > Realm                1
> > RealmRole            10
> > Client               10
> > ClientRole           100
> > User                 3
> > 
> > 14:35:24 Error occured: javax.ws.rs.WebApplicationException: Create method
> > returned status Internal Server Error (Code: 500); expected status: Created
> > (201)
> > 14:35:24 Exception thrown from executor service. Shutting down.
> > Exception in thread "main" java.lang.RuntimeException:
> > javax.ws.rs.WebApplicationException: Create method returned status Internal
> > Server Error (Code: 500); expected status: Created (201)
> >         at
> >         org.keycloak.performance.dataset.DatasetLoader.processEntities(DatasetLoader.java:149)
> >         at
> >         org.keycloak.performance.dataset.DatasetLoader.processDataset(DatasetLoader.java:75)
> >         at
> >         org.keycloak.performance.dataset.DatasetLoader.main(DatasetLoader.java:35)
> > Caused by: javax.ws.rs.WebApplicationException: Create method returned
> > status
> > Internal Server Error (Code: 500); expected status: Created (201)
> >         at
> >         org.keycloak.admin.client.CreatedResponseUtil.getCreatedId(CreatedResponseUtil.java:43)
> >         at
> >         org.keycloak.performance.dataset.Creatable.createCheckingForConflict(Creatable.java:51)
> >         at
> >         org.keycloak.performance.dataset.Creatable.createOrUpdateExisting(Creatable.java:69)
> >         at
> >         org.keycloak.performance.dataset.DatasetLoader.lambda$processEntities$0(DatasetLoader.java:118)
> >         at
> >         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >         at
> >         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >         at java.lang.Thread.run(Thread.java:748)
> > [ERROR] Command execution failed.
> > org.apache.commons.exec.ExecuteException: Process exited with an error: 1
> > (Exit value: 1)
> >     at org.apache.commons.exec.DefaultExecutor.executeInternal
> >     (DefaultExecutor.java:404)
> >     at org.apache.commons.exec.DefaultExecutor.execute
> >     (DefaultExecutor.java:166)
> >     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine
> >     (ExecMojo.java:804)
> >     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine
> >     (ExecMojo.java:751)
> >     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
> >     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
> >     (DefaultBuildPluginManager.java:137)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:208)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:154)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:146)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:117)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:81)
> >     at
> >     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
> >     (SingleThreadedBuilder.java:56)
> >     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
> >     (LifecycleStarter.java:128)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
> >     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
> >     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
> >     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
> >     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke
> >     (NativeMethodAccessorImpl.java:62)
> >     at sun.reflect.DelegatingMethodAccessorImpl.invoke
> >     (DelegatingMethodAccessorImpl.java:43)
> >     at java.lang.reflect.Method.invoke (Method.java:498)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
> >     (Launcher.java:289)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
> >     (Launcher.java:229)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
> >     (Launcher.java:415)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.main
> >     (Launcher.java:356)
> > [INFO]
> > ------------------------------------------------------------------------
> > [INFO] Reactor Summary:
> > [INFO]
> > [INFO] Keycloak Performance TestSuite 6.0.0-SNAPSHOT ...... SUCCESS [
> > 1.317
> > s]
> > [INFO] Keycloak Performance TestSuite - Keycloak Server ... SUCCESS [
> > 2.089
> > s]
> > [INFO] Keycloak Performance TestSuite - Wildfly ModCluster Load Balancer
> > SUCCESS [  0.873 s]
> > [INFO] Keycloak Performance TestSuite - Infinispan Server . SUCCESS [
> > 1.358
> > s]
> > [INFO] Keycloak Performance TestSuite - Tests 6.0.0-SNAPSHOT FAILURE [
> > 12.429
> > s]
> > [INFO]
> > ------------------------------------------------------------------------
> > [INFO] BUILD FAILURE
> > [INFO]
> > ------------------------------------------------------------------------
> > [INFO] Total time: 18.582 s
> > [INFO] Finished at: 2019-03-07T14:35:24-07:00
> > [INFO]
> > ------------------------------------------------------------------------
> > [ERROR] Failed to execute goal
> > org.codehaus.mojo:exec-maven-plugin:1.6.0:exec
> > (load-data) on project performance-tests: Command execution failed.:
> > Process
> > exited with an error: 1 (Exit value: 1) -> [Help 1]
> > org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute
> > goal org.codehaus.mojo:exec-maven-plugin:1.6.0:exec (load-data) on project
> > performance-tests: Command execution failed.
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:213)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:154)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:146)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:117)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:81)
> >     at
> >     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
> >     (SingleThreadedBuilder.java:56)
> >     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
> >     (LifecycleStarter.java:128)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
> >     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
> >     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
> >     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
> >     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke
> >     (NativeMethodAccessorImpl.java:62)
> >     at sun.reflect.DelegatingMethodAccessorImpl.invoke
> >     (DelegatingMethodAccessorImpl.java:43)
> >     at java.lang.reflect.Method.invoke (Method.java:498)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
> >     (Launcher.java:289)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
> >     (Launcher.java:229)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
> >     (Launcher.java:415)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.main
> >     (Launcher.java:356)
> > Caused by: org.apache.maven.plugin.MojoExecutionException: Command
> > execution
> > failed.
> >     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:326)
> >     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
> >     (DefaultBuildPluginManager.java:137)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:208)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:154)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:146)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:117)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:81)
> >     at
> >     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
> >     (SingleThreadedBuilder.java:56)
> >     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
> >     (LifecycleStarter.java:128)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
> >     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
> >     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
> >     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
> >     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke
> >     (NativeMethodAccessorImpl.java:62)
> >     at sun.reflect.DelegatingMethodAccessorImpl.invoke
> >     (DelegatingMethodAccessorImpl.java:43)
> >     at java.lang.reflect.Method.invoke (Method.java:498)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
> >     (Launcher.java:289)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
> >     (Launcher.java:229)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
> >     (Launcher.java:415)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.main
> >     (Launcher.java:356)
> > Caused by: org.apache.commons.exec.ExecuteException: Process exited with an
> > error: 1 (Exit value: 1)
> >     at org.apache.commons.exec.DefaultExecutor.executeInternal
> >     (DefaultExecutor.java:404)
> >     at org.apache.commons.exec.DefaultExecutor.execute
> >     (DefaultExecutor.java:166)
> >     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine
> >     (ExecMojo.java:804)
> >     at org.codehaus.mojo.exec.ExecMojo.executeCommandLine
> >     (ExecMojo.java:751)
> >     at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
> >     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
> >     (DefaultBuildPluginManager.java:137)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:208)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:154)
> >     at org.apache.maven.lifecycle.internal.MojoExecutor.execute
> >     (MojoExecutor.java:146)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:117)
> >     at
> >     org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
> >     (LifecycleModuleBuilder.java:81)
> >     at
> >     org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
> >     (SingleThreadedBuilder.java:56)
> >     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
> >     (LifecycleStarter.java:128)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
> >     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
> >     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
> >     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
> >     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
> >     at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
> >     at sun.reflect.NativeMethodAccessorImpl.invoke
> >     (NativeMethodAccessorImpl.java:62)
> >     at sun.reflect.DelegatingMethodAccessorImpl.invoke
> >     (DelegatingMethodAccessorImpl.java:43)
> >     at java.lang.reflect.Method.invoke (Method.java:498)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
> >     (Launcher.java:289)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.launch
> >     (Launcher.java:229)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
> >     (Launcher.java:415)
> >     at org.codehaus.plexus.classworlds.launcher.Launcher.main
> >     (Launcher.java:356)
> > [ERROR]
> > [ERROR]
> > [ERROR] For more information about the errors and possible solutions,
> > please
> > read the following articles:
> > [ERROR] [Help 1]
> > http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
> > [ERROR]
> > [ERROR] After correcting the problems, you can resume the build with the
> > command
> > [ERROR]   mvn <goals> -rf :performance-tests
> > 
> > 
> > Zak
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From Sebastian.Schuster at bosch-si.com  Thu Mar 14 05:11:50 2019
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS2))
Date: Thu, 14 Mar 2019 09:11:50 +0000
Subject: [keycloak-user] Monitoring Keycloak
In-Reply-To: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
References: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
Message-ID: <fc0b4767f1434cbdabf98071a11c0375@bosch-si.com>

Hi Niko,

For Metrics, we use the JMX exporter (https://github.com/prometheus/jmx_exporter) to push stuff into Prometheus and use Grafana to view it.

We add it to the docker image (under /opt/jboss/custom/monitoring/jmx_exporter) and when starting Keycloak, we add
-javaagent:/opt/jboss/custom/monitoring/jmx_exporter/jmx_prometheus_javaagent-0.11.0.jar=8787:/opt/jboss/custom/monitoring/jmx_exporter/wildfly-10.yaml "
You will have to adapt the yaml file to describe what metrics should be pulled. 

You also have to generate the metrics in the first place, e.g. for enabling infinispan cache metrics we use:
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/local-cache=keys:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/local-cache=realms:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/local-cache=users:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/local-cache=authorization:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)                   

Don?t forget to open port 8787 on the container.

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

Dr.-Ing. Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS2) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic 



-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Niko K?bler
Gesendet: Mittwoch, 13. M?rz 2019 09:45
An: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] Monitoring Keycloak

Hi,

is there any documentation about how and what is possible to monitor in Keycloak via an API or something?
I don't find anything about a special Keycloak monitoring in the docs.
Customers are in general curious about the current session count, cache size (and memory allocation) of Infinispan, error rates, etc.

Do we have to use standard Wildfly/Infinispan APIs? JMX?
How do others solve this? Any ideas?

Thanks and regards,
- Niko


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From uo67113 at gmail.com  Thu Mar 14 06:24:47 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 14 Mar 2019 11:24:47 +0100
Subject: [keycloak-user] How to deploy new keycloak.json
In-Reply-To: <20190313190839.GA31505@abstractj.org>
References: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
	<20190313190839.GA31505@abstractj.org>
Message-ID: <CACp70MnvPpQhrsQhDL_riDZ-vLjqMTh5-UUOFdufN3iG1C-_XA@mail.gmail.com>

Hello Paras,

Yes, definitely quickstarts and latest documentation are good places to
start.

There is also a keycloak docker image [1]. Just creating the admin user and
adding your json should be enough for you:
docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD<PASSWORD> \
 -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v
/tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak

As well you can run it from sources using maven [2]:

mvn -f keycloak/testsuite/utils/pom.xml exec:java -Pkeycloak-server
-Dimport=/tmp/example-realm.json

Hope it helps,

Luis

[1] https://hub.docker.com/r/jboss/keycloak/
[2]
https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2018-12-testing-web-applications-sso-keycloak


El mi?., 13 mar. 2019 a las 20:16, Bruno Oliveira (<bruno at abstractj.org>)
escribi?:

> Hi Paras, I'd suggest to look at the quickstarts. They may provide some
> guidance https://github.com/keycloak/keycloak-quickstarts.
>
> Also, the latest docs are here:
> https://www.keycloak.org/documentation.html
>
>
> On 2019-03-13, Paras Jain wrote:
> > Hi,
> >
> > I am running keycloak in standalone mode. As per
> >
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> > I have copied the client config from admin console and created a
> > keycloak.json. But I don't know where to put this file for it to take
> > effect. Is there any documentation for that?
> >
> > --
> > CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the
> sole
> > use of the intended recipient(s) and may contain confidential and
> > privileged information or otherwise be protected by law. Any
> unauthorized
> > review, use, disclosure or distribution is prohibited. If you are not
> the
> > intended recipient, please contact the sender and destroy all copies and
> > the original message.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From cedric at couralet.eu  Thu Mar 14 06:45:36 2019
From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=)
Date: Thu, 14 Mar 2019 11:45:36 +0100
Subject: [keycloak-user] =?utf-8?q?Monitoring_Keycloak?=
In-Reply-To: <fc0b4767f1434cbdabf98071a11c0375@bosch-si.com>
Message-ID: <402e-5c8a3100-25-1df38ba0@40027530>

Hi Sebastian,

Le Jeudi, Mars 14, 2019 10:11 CET, "Schuster Sebastian (INST-CSS/BSV-OS2)" <Sebastian.Schuster at bosch-si.com> a ?crit: 
 
> Hi Niko,
> 
> For Metrics, we use the JMX exporter (https://github.com/prometheus/jmx_exporter) to push stuff into Prometheus and use Grafana to view it.
> 
> We add it to the docker image (under /opt/jboss/custom/monitoring/jmx_exporter) and when starting Keycloak, we add
> -javaagent:/opt/jboss/custom/monitoring/jmx_exporter/jmx_prometheus_javaagent-0.11.0.jar=8787:/opt/jboss/custom/monitoring/jmx_exporter/wildfly-10.yaml "
> You will have to adapt the yaml file to describe what metrics should be pulled. 

How do you add that argument with docker? 
I tried with the $JAVA_OPTS env variable but it fails saying my logging properties are not what they should:

WFLYLOG0078: The logging subsystem requires the log manager to be org.jboss.logmanager.LogManager. The subsystem has not be initialized and cannot be used. To use JBoss Log Manager you must add the system property "java.util.logging.manager" and set it to "org.jboss.logmanager.LogManager"

Do you have any ideas?

--

C?dric Couralet



From jan.lengenfeld at gbtec.de  Thu Mar 14 07:06:18 2019
From: jan.lengenfeld at gbtec.de (Lengenfeld, Jan)
Date: Thu, 14 Mar 2019 11:06:18 +0000
Subject: [keycloak-user] Performance issues when creating users
	with	keycloak-admin-client
In-Reply-To: <1316046270.8448290.1552519310768.JavaMail.zimbra@redhat.com>
References: <89792861e9264311a193263be3531476@gbtec.de>,
	<1316046270.8448290.1552519310768.JavaMail.zimbra@redhat.com>
Message-ID: <ee6dc977d86a4362a242bf3c7388e970@gbtec.de>

Hello Tomas,


thank you for the fast response. There is nothing out of the ordinary in the keycloak or database logs.
To add some information: We use the version 4.5 of Keycloak and a Postgres DB to store the data. Both running in Docker containers.


We tried it from a different system (also a Docker container) that uses Feign clients to comunicate with Keycloak and have no problems there.

On the same system where we wanted to use the keycloak-admin-client we tried it with RestTemplates and had no problems either.


I think that rules out the database as a possible bottleneck.


It would be great if you have any other idea or suggestion where we should take a look.


If we don't find another solution we will use RestTemplates but the abmin-client would be way more convenient. ;-)


Kind regards
Jan

________________________________
Von: Tomas Kyjovsky <tkyjovsk at redhat.com>
Gesendet: Donnerstag, 14. M?rz 2019 00:21:50
An: Lengenfeld, Jan
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Performance issues when creating users with keycloak-admin-client

Hello Jan,

I'm not aware of any issues. This should work normally.

We are using the REST client to generate data for our performance testing. I've just tried and successully generated 10k users in about 1 minute (with the current upstream/master version of the project).

Can you check configuration of your data source connection pool? In our performace testing we use MariaDB datasource with: min-pool-size=10, max-pool-size=100, prefill=true, flush-strategy=IdleConnections, prepared-statement-cache-size=100.

Does Keycloak server log give any hints about what could be going wrong there? Or perhaps your database server log?


Tomas Kyjovsky


----- Original Message -----
> Hello,
>
>
> are there any performance issues known regarding the following method?
>
>     Keycloak.realm("someRealm").users().create(someUserRepresentation);
>
>
> We want to create a batch of users in a loop. After every tenth user it lasts
> approximately 10 minutes for the call to return.
>
>
> Is this behavior known or did we miss to configure something?
>
>
> Kind regards
>
>
> Jan Lengenfeld
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vramik at redhat.com  Thu Mar 14 07:07:03 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 14 Mar 2019 12:07:03 +0100
Subject: [keycloak-user] Monitoring Keycloak
In-Reply-To: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
References: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
Message-ID: <34458456-c182-0bd6-796f-6d302ef13578@redhat.com>

Hey Niko,

just FYI with upcoming upgrade to Wildfly 16 we plan to enable SmallRye 
Health and Metrics extensions [1]

[1] https://issues.jboss.org/browse/KEYCLOAK-9708

On 3/13/19 9:45 AM, Niko K?bler wrote:
> Hi,
>
> is there any documentation about how and what is possible to monitor in Keycloak via an API or something?
> I don't find anything about a special Keycloak monitoring in the docs.
> Customers are in general curious about the current session count, cache size (and memory allocation) of Infinispan, error rates, etc.
>
> Do we have to use standard Wildfly/Infinispan APIs? JMX?
> How do others solve this? Any ideas?
>
> Thanks and regards,
> - Niko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Thu Mar 14 07:10:24 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 14 Mar 2019 12:10:24 +0100
Subject: [keycloak-user] Keycloak cluster communication not working
 properly
In-Reply-To: <4342F4B8-BDCA-405F-AF58-7735F0B6558E@coliquio.de>
References: <4342F4B8-BDCA-405F-AF58-7735F0B6558E@coliquio.de>
Message-ID: <38414aa2-ea25-6da8-ba40-db29ecf9b41e@redhat.com>

Hey Jens,

would you mind to create a ticket[1] for the issue, please?

[1] https://issues.jboss.org/projects/KEYCLOAK

On 3/13/19 2:38 PM, Jens Bissinger wrote:
> Hi,
>
> we have a keycloak instance running as docker container in our AWS ECS docker environment.
>
> For single instance this setup works great, but we failed to enhance it with a second instance for HA.
>
> Problem: We cannot authenticate in one of instances behind the load balancer as soon as we have more than one keycloak instance.
>
> Cluster setup:
>
> - Keycloak v5.0.0 (docker image quay.io/keycloak/keycloak:5.0.0)
> - Containers are behind AWS ALB load balancers with round-robin but without sticky sessions (the latter is important for our setup)
> - JGroups with JDBC_PING configured and instances properly add/remove themselve from the configured MySQL table
> - Containers run on separete EC2 hosts, TCP communication between containers is possible (port 7600 exposed also on hosts)
> - Cache owners for all distributed caches are set to 2 (we also tested with 1 but without any different results)
>
> Startup logs from infinispan look fine:
>
> - On startup we see log message that cluster nodes can discover each other
>    "ISPN000094: Received new cluster view for channel ejb: [ip-10-129-2-31.eu-central-1.compute.internal|1] (2) [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]"
> - After that also infinispan rebalancing happens
>    "[Context=offlineClientSessions] ISPN100010: Finished rebalance with members [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]?
>
> Analysis (so far):
>
> - The problem is obviously because authentication starts on node 1. Due to round robin authentication will be continued on node 2 and this fails because node 2 does not know about the authentication session started on node 1.
> - According to the documentation there should be a lookup from node 2 in the cluster for started authentication session. Seems like this is not happening, but we cannot see any log related to this.
> - Also regular sessions are not distributed in the cache. We tested this running only 1 node to do the authentication and then spinning up a second node and doing a fail-over to the new node. Afterwards the regular session was gone (we are logged out).
>
> Thank you very much.
>
> Regards
> Jens Bissinger
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Thu Mar 14 07:18:04 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 14 Mar 2019 12:18:04 +0100
Subject: [keycloak-user] Attribute tab for Client
In-Reply-To: <CAOFYJDtV_n9HHxMg0F4N_hykRR__eMNnMCFRjg8a5TDYykL4=g@mail.gmail.com>
References: <CAOFYJDtV_n9HHxMg0F4N_hykRR__eMNnMCFRjg8a5TDYykL4=g@mail.gmail.com>
Message-ID: <019cf590-0f30-f181-4ce5-d0504235ebd4@redhat.com>

Hey Celso,

this is probably discussion belonging to keycloak-dev mailing list, you 
can raise your question there, possibly providing further details and 
use-cases about the feature you are proposing.

Thanks

On 3/12/19 11:03 PM, Celso Agra wrote:
> Hi all,
>
> Just to start a discussion here...
> What about to create an Attribute tab for Clients? I believe it would be
> interested, if you are planning to add more info about your Client.
>
>
> Best regards,
>

From vramik at redhat.com  Thu Mar 14 07:22:18 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 14 Mar 2019 12:22:18 +0100
Subject: [keycloak-user] Release notes 5.0.0?
In-Reply-To: <CAPJA60uHfnEd4YpAr3fBTqeHBJ4JGCYPXJCeGqgCr6Qkx+-fGA@mail.gmail.com>
References: <CAPJA60uHfnEd4YpAr3fBTqeHBJ4JGCYPXJCeGqgCr6Qkx+-fGA@mail.gmail.com>
Message-ID: <efc07954-3dce-78ab-dc7e-83cc0f5f8b5d@redhat.com>

https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-5-0-0

Thanks for pointing that out.

On 3/12/19 2:58 PM, 4 Integration wrote:
> Hi,
>
> I cannot find release notes for 5.0.0, where can I find it?
> https://www.keycloak.org/docs/latest/release_notes/index.html
>
> / Joacim
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From celso.agra at gmail.com  Thu Mar 14 08:49:31 2019
From: celso.agra at gmail.com (Celso Agra)
Date: Thu, 14 Mar 2019 09:49:31 -0300
Subject: [keycloak-user] Attribute tab for Client
In-Reply-To: <019cf590-0f30-f181-4ce5-d0504235ebd4@redhat.com>
References: <CAOFYJDtV_n9HHxMg0F4N_hykRR__eMNnMCFRjg8a5TDYykL4=g@mail.gmail.com>
	<019cf590-0f30-f181-4ce5-d0504235ebd4@redhat.com>
Message-ID: <CAOFYJDtad6q5dMiZ4hCsYj7hYx-v5_CE4BFFnKsgmSz5R5Otmw@mail.gmail.com>

Nice!
I'll send an email for keycloak-dev.

Thanks Vlasta Ramik


Em qui, 14 de mar de 2019 ?s 08:18, Vlasta Ramik <vramik at redhat.com>
escreveu:

> Hey Celso,
>
> this is probably discussion belonging to keycloak-dev mailing list, you
> can raise your question there, possibly providing further details and
> use-cases about the feature you are proposing.
>
> Thanks
>
> On 3/12/19 11:03 PM, Celso Agra wrote:
> > Hi all,
> >
> > Just to start a discussion here...
> > What about to create an Attribute tab for Clients? I believe it would be
> > interested, if you are planning to add more info about your Client.
> >
> >
> > Best regards,
> >
>


-- 
---
*Celso Agra*

From niko at n-k.de  Thu Mar 14 09:06:31 2019
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 14 Mar 2019 14:06:31 +0100
Subject: [keycloak-user] Monitoring Keycloak
In-Reply-To: <34458456-c182-0bd6-796f-6d302ef13578@redhat.com>
References: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
	<34458456-c182-0bd6-796f-6d302ef13578@redhat.com>
Message-ID: <A09128F2-18BB-4998-BF85-D7831EDA5CF2@n-k.de>

Thanks, Sebastian and Vlasta,

sounds both good to me, especially the SmallRye extension and that Wildfly/Keycloak will get a "native" API for that.

JMX is always an option, I know, but due to the lack of JMX experience, one tries to avoid it where one is able to avoid it. ;)

- Niko


> Am 14.03.2019 um 10:11 schrieb Schuster Sebastian (INST-CSS/BSV-OS2) <Sebastian.Schuster at bosch-si.com>:
> 
> Hi Niko,
> 
> For Metrics, we use the JMX exporter (https://github.com/prometheus/jmx_exporter) to push stuff into Prometheus and use Grafana to view it.

> Am 14.03.2019 um 12:07 schrieb Vlasta Ramik <vramik at redhat.com>:
> 
> Hey Niko,
> 
> just FYI with upcoming upgrade to Wildfly 16 we plan to enable SmallRye Health and Metrics extensions [1]
> 
> [1] https://issues.jboss.org/browse/KEYCLOAK-9708


From andy at codexr.io  Thu Mar 14 10:50:25 2019
From: andy at codexr.io (Andy Alexander)
Date: Thu, 14 Mar 2019 10:50:25 -0400
Subject: [keycloak-user] Client of mine is looking for Keycloak expert
Message-ID: <72aee7b5cfa9073aa7370b193773f721@codexr.io>

 

My client has a Keycloak setup from a previous developer, and we are
having some trouble setting up a token exchange to work with new
Facebook compliance standards for iOS login. 

I've asked one of the mods of this mailing list if I can send an email
for anyone who might be interested in working on this - most of the work
should be done (I think), it should mostly be a matter of correctly
setting client policies. 

If you're interested feel free to contact me with an idea of what you
think this will cost. 

From nils.el-himoud at bosch-si.com  Thu Mar 14 10:53:25 2019
From: nils.el-himoud at bosch-si.com (El-Himoud Nils (INST/ECS2))
Date: Thu, 14 Mar 2019 14:53:25 +0000
Subject: [keycloak-user] Scalability with a lot of clients
Message-ID: <55c9324403e2464995abba2911636a1c@bosch-si.com>

Hi everyone,

In our project we are creating lots of clients in Keycloak. In our loadtests with ~6000 clients we found very slow response times.

For example average response times during load tests:
23.9 sec / admin/realms/{realm}/users/{id}/role-mappings (GET)
28.2 sec /admin/realms/{realm}/clients (POST)
20.2 sec /admin/realms/{realm}/clients/{id} (DELETE)

By debugging Keycloak we found that the server is iterating over all clients in the realm. For this finding we opened ticket https://issues.jboss.org/browse/KEYCLOAK-9553. Initially after Keycloak startup this could take up to 5 minutes but was much faster for subsequent requests. We assume due to local caches. The variance of the response times is very high. They range from <1s to timeouts after 5 minutes.

What we?ve tried so far:
First we scaled up the Keycloak instances because we thought it might be a load problem. Turned out that it doesn?t need load to reproduce the slow responses, just enough clients.

Then we tried to warmup the caches by running the loadtests for a longer time but couldn?t see improvements.

We found that there are configuration options for the caches and tried to gain some insight on the runtime behavior via jboss cli by enabling the cache statistics

/subsystem=infinispan/cache-container=keycloak/local-cache=realms:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=statistics-enabled, value=true)
:reload

With no success. Statistics keep showing only zeros.

[standalone at localhost:9990 /] ls subsystem=infinispan/cache-container=keycloak/local-cache=realms
component                                 elapsed-time=0                            module=undefined                          stores=0
memory                                    hit-ratio=0.0                             number-of-entries=0                       time-since-reset=0
store                                     hits=0                                    passivations=0                            eviction={"EVICTION" => undefined}
activations=0                             indexing=NONE                             read-write-ratio=0.0                      expiration={"EXPIRATION" => undefined}
average-read-time=0                       indexing-properties=undefined             remove-hits=0                             locking={"LOCKING" => undefined}
average-write-time=0                      invalidations=0                           remove-misses=0                           transaction={"TRANSACTION" => undefined}
batching=false                            jndi-name=undefined                       start=LAZY
cache-status=RUNNING                      misses=0                                  statistics-enabled=false

At last we tried to manipulate the cache settings for the realms cache

# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=max-entries, value=80000)
# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=size, value=80000)

This also had no noticeable effect on the response times.

Ah! The connection pool size for the db was also something that we tried to increase.

Setup
Keycloak is running in standalone HA mode with jgroups on Kubernetes (3 replicas). The database is AWS RDS.

Next we want to test the scalability of Keycloak with respect to the number of clients.

Do we miss something about the cache configuration. Is the realm cache the correct one to optimize the problematic endpoints? How can we get the cache statistics working?

resources:
  request:
    mem: 4Gi
    cpu: 1
  limit:
    mem: 6Gi
    cpu: 3

Java memory parameters are set
/usr/lib/jvm/java/bin/java -D[Standalone] -server -Xms3276m -Xmx4914m -javaagent:/opt/jboss/newrelic/newrelic.jar -Djboss.modules.system.pkgs


Mit freundlichen Gr??en / Best regards

Nils El-Himoud
INST-IOT/ESW-Imb

From Andrew.Schaar at bluestembrands.com  Thu Mar 14 10:56:08 2019
From: Andrew.Schaar at bluestembrands.com (Schaar, Andrew)
Date: Thu, 14 Mar 2019 14:56:08 +0000
Subject: [keycloak-user] Encoded URL does not work as redirect_uri
Message-ID: <2AFE0E7D-DD1F-4B75-BAA6-D5470B925524@bluestembrands.com>

Hello,

We just upgraded from 3.4.2.Final to 4.8.3.Final. After doing so, users can no longer reach the login page when redirect_uri has an encoded space.
This happens at RedirectUtils.java:182 when constructing a new URI from the redirect_uri parameter. The issue seems to stem from the fact that when retrieving query parameters, they are decoded. Do you have any suggestions on a work around beyond changing the urls on our website?

To reproduce, create a new realm named ?my-realm?
Create a public client named ?web-client?
Add valid redirect url: http://localhost:8888/*
Navigate to the following in a browser: http://localhost:8888/auth/realms/my-realm/protocol/openid-connect/auth?response_type=code&client_id=web-client&redirect_uri=http://localhost:8888/some%20category

Stack trace:
14:47:36,092 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-9) Uncaught server error: java.lang.IllegalArgumentException: Invalid URL syntax: Illegal character in path at index 26: http://localhost:8888/some category
   at org.keycloak.protocol.oidc.utils.RedirectUtils.normalizeUrl(RedirectUtils.java:185)
   at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:83)
   at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:52)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri(AuthorizationEndpoint.java:371)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:120)
   at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
   at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
   at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
   at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
   at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
   at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
   at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
   at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
   at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
   at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
   at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
   at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
   at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
   at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
   at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
   at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
   at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
   at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
   at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
   at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
   at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
   at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
   at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
   at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
   at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
   at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
   at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
   at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
   at java.lang.Thread.run(Thread.java:748)

Thank you!
Andrew Schaar

From pjain at rivetlogic.com  Thu Mar 14 10:59:51 2019
From: pjain at rivetlogic.com (Paras Jain)
Date: Thu, 14 Mar 2019 10:59:51 -0400
Subject: [keycloak-user] How to deploy new keycloak.json
In-Reply-To: <CACp70MnvPpQhrsQhDL_riDZ-vLjqMTh5-UUOFdufN3iG1C-_XA@mail.gmail.com>
References: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
	<20190313190839.GA31505@abstractj.org>
	<CACp70MnvPpQhrsQhDL_riDZ-vLjqMTh5-UUOFdufN3iG1C-_XA@mail.gmail.com>
Message-ID: <CA+usoRK0OP1OBB2cOR+5GRBB0Kbyhro1O9JKe08HyLwQuE8jFA@mail.gmail.com>

Thanks for your responses Luis and Bruno. I have started looking at
quickstart in more details yesterday and they are helpful. Just to give a
little more background to my specific problem. We are using Keycloak for
last 2-3 months. We are running it successfully in standalone mode. Right
now we are facing a CORS issue and to resolve that CORS issue I need to
place updated keycloak.json somewhere, but I don't know where. I have
downloaded the file from admin console as mentioned in
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
and made necessary modifications. I don't know how to apply it. That is my
immediate challenge.
------------------------------
Paras Jain
rivetlogic <http://www.rivetlogic.com/>
Voice +1.703.879.3097
Skype paras.jain_rivetlogic
GTalk pjain at rivetlogic.com
Calendar paras jain's calendar
<http://www.google.com/calendar/hosted/rivetlogic.com/embed?src=pjain%40rivetlogic.com&ctz=America/New_York>


On Thu, Mar 14, 2019 at 6:38 AM Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
wrote:

> Hello Paras,
>
> Yes, definitely quickstarts and latest documentation are good places to
> start.
>
> There is also a keycloak docker image [1]. Just creating the admin user and
> adding your json should be enough for you:
> docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD<PASSWORD> \
>  -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v
> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak
>
> As well you can run it from sources using maven [2]:
>
> mvn -f keycloak/testsuite/utils/pom.xml exec:java -Pkeycloak-server
> -Dimport=/tmp/example-realm.json
>
> Hope it helps,
>
> Luis
>
> [1] https://hub.docker.com/r/jboss/keycloak/
> [2]
>
> https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2018-12-testing-web-applications-sso-keycloak
>
>
> El mi?., 13 mar. 2019 a las 20:16, Bruno Oliveira (<bruno at abstractj.org>)
> escribi?:
>
> > Hi Paras, I'd suggest to look at the quickstarts. They may provide some
> > guidance https://github.com/keycloak/keycloak-quickstarts.
> >
> > Also, the latest docs are here:
> > https://www.keycloak.org/documentation.html
> >
> >
> > On 2019-03-13, Paras Jain wrote:
> > > Hi,
> > >
> > > I am running keycloak in standalone mode. As per
> > >
> >
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> > > I have copied the client config from admin console and created a
> > > keycloak.json. But I don't know where to put this file for it to take
> > > effect. Is there any documentation for that?
> > >
> > > --
> > > CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the
> > sole
> > > use of the intended recipient(s) and may contain confidential and
> > > privileged information or otherwise be protected by law. Any
> > unauthorized
> > > review, use, disclosure or distribution is prohibited. If you are not
> > the
> > > intended recipient, please contact the sender and destroy all copies
> and
> > > the original message.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole 
use of the intended recipient(s) and may contain confidential and 
privileged information or otherwise be protected by law. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies and 
the original message.

From mhdwrkoffice at gmail.com  Thu Mar 14 12:07:09 2019
From: mhdwrkoffice at gmail.com (mhd wrk)
Date: Thu, 14 Mar 2019 09:07:09 -0700
Subject: [keycloak-user] jaxrs integration
Message-ID: <CA+4qEymn4xbfS3CC8Rs1XfuRHezU-S0CHZuSm-Nap089zzCzPg@mail.gmail.com>

The project I'm working on uses JAXRS/Jersey for REST and Spring Boot for
wiring (DI). As of now we have our own Authentication/Authorization
components based on JAXRS filters. What's the best way to replace the
in-house components with KeyCloak?

BTW, looking at the adapters under oidc adapters
<https://github.com/keycloak/keycloak/tree/master/adapters/oidc>, seems to
me the *jaxrs-outh-client* and *spring-boot2* might be the right
candidates. However the first one is deprecated and the second one relies
on spring-web which we are not using.

Thanks,
Mohammad

From andrewm659 at yahoo.com  Thu Mar 14 12:58:30 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Thu, 14 Mar 2019 16:58:30 +0000 (UTC)
Subject: [keycloak-user] Database backend issue
In-Reply-To: <ce5e9ec2-aa95-2f40-84c8-f472b796a394@redhat.com>
References: <683306387.8457822.1551731986054.ref@mail.yahoo.com>
	<683306387.8457822.1551731986054@mail.yahoo.com>
	<ce5e9ec2-aa95-2f40-84c8-f472b796a394@redhat.com>
Message-ID: <24110241.5541194.1552582711019@mail.yahoo.com>

That fixed it!? Thank you!

Sent from Yahoo Mail on Android 
 
  On Wed, Mar 6, 2019 at 2:45 AM, Vlasta Ramik<vramik at redhat.com> wrote:   Hello Andrew,

we use MariaDB 10.1.x for keycloak, can you try it?

V.

On 3/4/19 9:39 PM, Andrew Meyer wrote:
> Hello,
> I am trying to setup Keycloak on CentOS 7 (latest).? This is a standalone machine.
>
> My remote MariaDB server is running 10.2.x latest.
>
> I was trying to run Keycloak latest with mysql-java-connector-5.1.46 and got the following results:
> Caused by: java.lang.RuntimeException: Failed to connect to database? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:381)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)? ? ? ? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154)? ? ? ? ... 31 moreCaused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException]? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)? ? ? ? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)? ? ? ? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)? ? ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:374)? ? ? ? ... 43 more
>
> I have tried using newer versions of the connector with the same result.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
  

From andrewm659 at yahoo.com  Thu Mar 14 13:13:26 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Thu, 14 Mar 2019 17:13:26 +0000 (UTC)
Subject: [keycloak-user] Mariadb driver version
References: <1727719425.5549273.1552583606299.ref@mail.yahoo.com>
Message-ID: <1727719425.5549273.1552583606299@mail.yahoo.com>

What mariadb Java driver version should I use when using mariadb 10.1.x as the server??

Sent from Yahoo Mail on Android

From mizuki0621 at gmail.com  Thu Mar 14 16:42:34 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Thu, 14 Mar 2019 16:42:34 -0400
Subject: [keycloak-user] Authentication failed:
	org.jvnet.libpam.PAMException
In-Reply-To: <20190312153503.GA25306@abstractj.org>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
Message-ID: <CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>

Thanks for the response, Bruno.

I certainly went through the documents and examed configurations carefully.
I attached KRB log from IPA server as well as /var/log/secure from Keycloak
server as supporting evidences (high lighted with blue for important
portions).

In the case when both 'password' and 'otp' are enabled to the user in IPA,
Keycloak failed to authenticate user with either the password or otp.

[root at idm01 ~]# ipa user-show mmstestu
  User login: mmstestu
  First name: Test
  Last name: 55555
  Home directory: /u0b/mmstestu
  Login shell: /bin/bash
  Principal name: mmstestu at SDCC.BNL.GOV
  Principal alias: mmstestu at SDCC.BNL.GOV
  Kerberos principal expiration: 20690301145828Z
  Email address: smithj4 at example.com
  UID: 7041
  GID: 9965
  SSH public key fingerprint:
SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
  User authentication types: otp, password
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
  Member of HBAC rule: mktst1
  Kerberos keys available: True

Krb log on IPA server shows following:
Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
pre-authentication required
Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
password in encrypted challenge

/var/log/secure log on KeyCloak server:
Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
user=mmstestu
Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
received for user mmstestu: 17 (Failure setting user credentials)

In ../log/server.log on KeyCloak server:
2019-03-14 16:24:36,844 ERROR
[org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
failed : Permission denied
    at org.jvnet.libpam.PAM.check(PAM.java:113)
    at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
    at
org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
    at
org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
    at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
    at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
    at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
    at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
    at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
    at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
    at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
    at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
    at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
    at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
    at java.lang.reflect.Method.invoke(Method.java:508)
    at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
    at
org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
Source)
    at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
    at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
    at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
Source)
    at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
    at
org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
Source)
    at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
    at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
    at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
    at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
Source)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
    at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
    at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
    at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
    at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
    at java.lang.Thread.run(Thread.java:812)

Then if I remove the 'password' option and leaves 'otp' only for the user,
KeyCloak does actually authenticate fine (password + QRCode combined with
no space): Following are logs when it successes:

[root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
------------------------
Modified user "mmstestu"
------------------------
  User login: mmstestu
  First name: Test
  Last name: 55555
  Home directory: /u0b/mmstestu
  Login shell: /bin/bash
  Principal name: mmstestu at SDCC.BNL.GOV
  Principal alias: mmstestu at SDCC.BNL.GOV
  Kerberos principal expiration: 20690301145828Z
  Email address: smithj4 at example.com
  UID: 7041
  GID: 9965
  SSH public key fingerprint:
SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
  Member of HBAC rule: mktst1
  Kerberos keys available: True

In KRB log on IPA server:
Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for krbtgt/
SDCC.BNL.GOV at SDCC.BNL.GOV
Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8 etypes
{18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for host/
mktst1.sdcc.bnl.gov at SDCC.BNL.GOV

In /var/log/secure on KeyCloak server:
Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
user=mmstestu

Please advice.
Thanks.
Mizuki


On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Mizuki,
>
> In the scenario you described Keycloak just relies on PAM to
> authenticate the user.  What I'd do before configure Keycloak is to try
> dbus-send and pamtester, just to make sure that my setup works.
>
> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
> pamtester does not authenticate your user, there's a chance that
> something is wrong with your setup. Certainly worth to review our
> docs[1].
>
> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>
> On 2019-03-05, mizuki wrote:
> > Hi,
> >
> > We are currently evaluating keycloak as a possible authentication
> mechanism
> > deployed to our facility.
> > We use kerberos for user authentication with FreeIPA and configured sssd
> > for user federation in keycloak (follow the official document both from
> > keycloak and freeipa.org)
> > One of the requirement we desire is to enable kerboros password for SSH
> > login and enabled 'otp' for HTTP based applications.
> >
> > To do so,
> > 1. We enabled both user-auth-types for the user:
> > - password
> > - password + otp
> >
> > 2. Created HBAC rules in IPA, allowing keycloak server access for
> following
> > services: (I purposely did not enable 'otp' at this point as I want to
> > verify both 'password' and 'otp' shall work)
> > - keycloak
> > - sshd
> >
> > 3. Confimred sshd worked with both 'password' and 'otp' types via
> PAM/SSSD,
> > then I went ahead and accessed URL that is protected by keycloak,
> > 'password' works but 'otp' won't, the following ERRORs were seen in
> > keycloak's server.log:
> > -----------
> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
> > error=invalid_user_credentials, auth_method=openid-connect,
> auth_type=code,
> > redirect_uri=https://www.example.com/secure/
> > <https://vproxytest03.racf.bnl.gov/secure/>*,
> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> > 2019-03-04 17:01:43,033 ERROR
> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> > failed : Permission denied
> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> >     at
> >
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> >
> >     at
> >
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> >
> >     at
> >
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> >
> >     at
> >
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> >
> >     at
> >
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> >
> >     at
> >
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> >
> >     at
> >
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> >
> >     at
> >
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> >
> >     at
> >
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> >
> >     at
> >
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> >
> >     at
> >
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> >
> >     at
> >
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> >
> >     at
> >
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> >
> >     at
> >
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> >
> >     at
> >
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> >
> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
> >     at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> >
> >     at java.lang.reflect.Method.invoke(Method.java:508)
> >     at
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> > Source)
> >     at
> >
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> >
> >     at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> > Source)
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> > Source)
> >     at
> >
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> >
> >     at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> >
> >     at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> >
> >     at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >
> >     at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >
> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> >     at
> >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> >
> >     at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >
> >     at
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> >
> >     at
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> >     at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >
> >     at
> >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> >
> >     at
> >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >
> >     at
> >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >
> >     at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> >     at
> >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> >
> >     at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >
> >     at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> >     at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >
> >     at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >
> >     at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >
> >     at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >
> >     at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >
> >     at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >
> >     at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> >     at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >
> >     at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> >     at
> >
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> >
> >     at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> >
> >     at
> >
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> >
> >     at
> >
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >
> >     at
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >
> >     at
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> > Source)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > Source)
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >
> >     at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> >
> >     at
> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> >     at
> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> >     at
> >
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> >
> >     at
> >
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> >
> >     at
> >
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> >
> >     at
> >
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> >
> >     at java.lang.Thread.run(Thread.java:812)
> > ------------------
> >
> > Interesting thing is keycloak handles OTP just fine if I have
> > 'password+otp' only checked on,  then we won't be able to log onto the
> > machines via SSH using password, that defeats our purposes.
> >
> > I tested different version of JAVA and the latest keycloak (4.8.3)
> version
> > (on REHL 7), all got the same results.
> > I'm wondering if this is more likely a bug or I missed something.
> > I'd appreciate if someone can advice what the approach is.
> >
> > Thank you very much.
> >
> > Mizuki
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From chris.savory at edlogics.com  Thu Mar 14 18:27:58 2019
From: chris.savory at edlogics.com (Chris Savory)
Date: Thu, 14 Mar 2019 22:27:58 +0000
Subject: [keycloak-user] Docker Image for Keycloak 5.0.0
Message-ID: <9617B195-4C2D-490C-BD63-74A78A3ECC6C@contoso.com>

I'm getting the following build error when I try to build a docker container using keycloak 5.0.0

build	14-Mar-2019 21:35:54	Sending build context to Docker daemon  6.952MB
build	14-Mar-2019 21:35:54	
build	14-Mar-2019 21:35:54	Step 1/20 : FROM jboss/keycloak:5.0.0
error	14-Mar-2019 21:35:54	manifest for jboss/keycloak:5.0.0 not found

When I go to https://hub.docker.com/r/jboss/keycloak/tags, I do not see 5.0.0 listed there.  When should we expect it?

-Chris 



From niko at n-k.de  Thu Mar 14 18:41:12 2019
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Thu, 14 Mar 2019 23:41:12 +0100
Subject: [keycloak-user] Docker Image for Keycloak 5.0.0
In-Reply-To: <9617B195-4C2D-490C-BD63-74A78A3ECC6C@contoso.com>
References: <9617B195-4C2D-490C-BD63-74A78A3ECC6C@contoso.com>
Message-ID: <42C816E8-0F59-408E-8559-9D14C66D4324@n-k.de>

Docker images from 5.x up are now on quay.io
See this thread: http://lists.jboss.org/pipermail/keycloak-user/2019-March/017452.html

- Niko


> Am 14.03.2019 um 23:27 schrieb Chris Savory <chris.savory at edlogics.com>:
> 
> I'm getting the following build error when I try to build a docker container using keycloak 5.0.0
> 
> build	14-Mar-2019 21:35:54	Sending build context to Docker daemon  6.952MB
> build	14-Mar-2019 21:35:54	
> build	14-Mar-2019 21:35:54	Step 1/20 : FROM jboss/keycloak:5.0.0
> error	14-Mar-2019 21:35:54	manifest for jboss/keycloak:5.0.0 not found
> 
> When I go to https://hub.docker.com/r/jboss/keycloak/tags, I do not see 5.0.0 listed there.  When should we expect it?
> 
> -Chris 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bruno at abstractj.org  Thu Mar 14 19:01:22 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 14 Mar 2019 20:01:22 -0300
Subject: [keycloak-user] Authentication failed:
	org.jvnet.libpam.PAMException
In-Reply-To: <CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
	<CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
Message-ID: <CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>

What is the output from pamtester?

On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:

> Thanks for the response, Bruno.
>
> I certainly went through the documents and examed configurations
> carefully. I attached KRB log from IPA server as well as /var/log/secure
> from Keycloak server as supporting evidences (high lighted with blue for
> important portions).
>
> In the case when both 'password' and 'otp' are enabled to the user in IPA,
> Keycloak failed to authenticate user with either the password or otp.
>
> [root at idm01 ~]# ipa user-show mmstestu
>   User login: mmstestu
>   First name: Test
>   Last name: 55555
>   Home directory: /u0b/mmstestu
>   Login shell: /bin/bash
>   Principal name: mmstestu at SDCC.BNL.GOV
>   Principal alias: mmstestu at SDCC.BNL.GOV
>   Kerberos principal expiration: 20690301145828Z
>   Email address: smithj4 at example.com
>   UID: 7041
>   GID: 9965
>   SSH public key fingerprint:
> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>   User authentication types: otp, password
>   Account disabled: False
>   Password: True
>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>   Member of HBAC rule: mktst1
>   Kerberos keys available: True
>
> Krb log on IPA server shows following:
> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
> pre-authentication required
> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
> password in encrypted challenge
>
> /var/log/secure log on KeyCloak server:
> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
> user=mmstestu
> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> received for user mmstestu: 17 (Failure setting user credentials)
>
> In ../log/server.log on KeyCloak server:
> 2019-03-14 16:24:36,844 ERROR
> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> failed : Permission denied
>     at org.jvnet.libpam.PAM.check(PAM.java:113)
>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>     at
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>     at
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>     at
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>     at
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>     at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>     at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>     at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>     at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>     at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>     at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>     at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>     at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>     at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>     at
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>     at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>     at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>     at java.lang.reflect.Method.invoke(Method.java:508)
>     at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
> Source)
>     at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>     at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>     at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>     at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
> Source)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
> Source)
>     at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>     at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>     at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>     at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>     at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>     at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>     at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>     at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>     at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>     at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>     at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>     at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>     at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>     at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>     at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>     at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>     at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>     at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>     at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>     at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>     at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>     at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> Source)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> Source)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>     at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>     at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>     at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>     at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>     at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>     at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>     at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>     at java.lang.Thread.run(Thread.java:812)
>
> Then if I remove the 'password' option and leaves 'otp' only for the user,
> KeyCloak does actually authenticate fine (password + QRCode combined with
> no space): Following are logs when it successes:
>
> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
> ------------------------
> Modified user "mmstestu"
> ------------------------
>   User login: mmstestu
>   First name: Test
>   Last name: 55555
>   Home directory: /u0b/mmstestu
>   Login shell: /bin/bash
>   Principal name: mmstestu at SDCC.BNL.GOV
>   Principal alias: mmstestu at SDCC.BNL.GOV
>   Kerberos principal expiration: 20690301145828Z
>   Email address: smithj4 at example.com
>   UID: 7041
>   GID: 9965
>   SSH public key fingerprint:
> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>   User authentication types: otp
>   Account disabled: False
>   Password: True
>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>   Member of HBAC rule: mktst1
>   Kerberos keys available: True
>
> In KRB log on IPA server:
> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
> etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for krbtgt/
> SDCC.BNL.GOV at SDCC.BNL.GOV
> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8 etypes
> {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
> etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for host/
> mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
>
> In /var/log/secure on KeyCloak server:
> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
> user=mmstestu
>
> Please advice.
> Thanks.
> Mizuki
>
>
> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> Hi Mizuki,
>>
>> In the scenario you described Keycloak just relies on PAM to
>> authenticate the user.  What I'd do before configure Keycloak is to try
>> dbus-send and pamtester, just to make sure that my setup works.
>>
>> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
>> pamtester does not authenticate your user, there's a chance that
>> something is wrong with your setup. Certainly worth to review our
>> docs[1].
>>
>> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>>
>> On 2019-03-05, mizuki wrote:
>> > Hi,
>> >
>> > We are currently evaluating keycloak as a possible authentication
>> mechanism
>> > deployed to our facility.
>> > We use kerberos for user authentication with FreeIPA and configured sssd
>> > for user federation in keycloak (follow the official document both from
>> > keycloak and freeipa.org)
>> > One of the requirement we desire is to enable kerboros password for SSH
>> > login and enabled 'otp' for HTTP based applications.
>> >
>> > To do so,
>> > 1. We enabled both user-auth-types for the user:
>> > - password
>> > - password + otp
>> >
>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
>> following
>> > services: (I purposely did not enable 'otp' at this point as I want to
>> > verify both 'password' and 'otp' shall work)
>> > - keycloak
>> > - sshd
>> >
>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
>> PAM/SSSD,
>> > then I went ahead and accessed URL that is protected by keycloak,
>> > 'password' works but 'otp' won't, the following ERRORs were seen in
>> > keycloak's server.log:
>> > -----------
>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
>> > error=invalid_user_credentials, auth_method=openid-connect,
>> auth_type=code,
>> > redirect_uri=https://www.example.com/secure/
>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
>> > 2019-03-04 17:01:43,033 ERROR
>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>> > failed : Permission denied
>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>> >     at
>> >
>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>> >
>> >     at
>> >
>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>> >
>> >     at
>> >
>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>> >
>> >     at
>> >
>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>> >
>> >     at
>> >
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>> >
>> >     at
>> >
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>> >
>> >     at
>> >
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>> >
>> >     at
>> >
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>> >
>> >     at
>> >
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>> >
>> >     at
>> >
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>> >
>> >     at
>> >
>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>> >
>> >     at
>> >
>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>> >
>> >     at
>> >
>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>> >
>> >     at
>> >
>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>> >
>> >     at
>> >
>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>> >
>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>> >     at
>> >
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>> >
>> >     at java.lang.reflect.Method.invoke(Method.java:508)
>> >     at
>> >
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
>> > Source)
>> >     at
>> >
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
>> > Source)
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
>> > Source)
>> >     at
>> >
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>> >
>> >     at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>> >
>> >     at
>> >
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>> >
>> >     at
>> >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> >
>> >     at
>> >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> >
>> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> >
>> >     at
>> >
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>> >
>> >     at
>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> >     at
>> >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> >
>> >     at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> >
>> >     at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >
>> >     at
>> >
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> >
>> >     at
>> >
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> >
>> >     at
>> >
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> >
>> >     at
>> >
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> >
>> >     at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> >
>> >     at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>> >
>> >     at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>> >
>> >     at
>> >
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>> >
>> >     at
>> >
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
>> > Source)
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>> > Source)
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>> > Source)
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>> > Source)
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>> >
>> >     at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>> > Source)
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> >
>> >     at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>> >
>> >     at
>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>> >     at
>> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>> >     at
>> >
>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>> >
>> >     at
>> >
>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>> >
>> >     at
>> >
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>> >
>> >     at
>> >
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>> >
>> >     at java.lang.Thread.run(Thread.java:812)
>> > ------------------
>> >
>> > Interesting thing is keycloak handles OTP just fine if I have
>> > 'password+otp' only checked on,  then we won't be able to log onto the
>> > machines via SSH using password, that defeats our purposes.
>> >
>> > I tested different version of JAVA and the latest keycloak (4.8.3)
>> version
>> > (on REHL 7), all got the same results.
>> > I'm wondering if this is more likely a bug or I missed something.
>> > I'd appreciate if someone can advice what the approach is.
>> >
>> > Thank you very much.
>> >
>> > Mizuki
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>>
>> abstractj
>>
>

From mizuki0621 at gmail.com  Thu Mar 14 20:37:55 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Thu, 14 Mar 2019 20:37:55 -0400
Subject: [keycloak-user] Authentication failed:
	org.jvnet.libpam.PAMException
In-Reply-To: <CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
	<CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
	<CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>
Message-ID: <CAKCDg-DCEVvyXTxz72RUwJzWeDAeC7QaXCpE5xVwvNewCqd+wg@mail.gmail.com>

See pamtester went successful with both cases (whether both OTP and
password enabled or OTP only)

Case 1: Both Password and OTP are enabled:

*[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
First Factor:
Second Factor (optional):
pamtester: successfully authenticated

Case 2: Enabled OTP only:
*[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
First Factor:
Second Factor:
pamtester: successfully authenticated

Note
Thanks.

On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> What is the output from pamtester?
>
> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
>
>> Thanks for the response, Bruno.
>>
>> I certainly went through the documents and examed configurations
>> carefully. I attached KRB log from IPA server as well as /var/log/secure
>> from Keycloak server as supporting evidences (high lighted with blue for
>> important portions).
>>
>> In the case when both 'password' and 'otp' are enabled to the user in
>> IPA, Keycloak failed to authenticate user with either the password or otp.
>>
>> [root at idm01 ~]# ipa user-show mmstestu
>>   User login: mmstestu
>>   First name: Test
>>   Last name: 55555
>>   Home directory: /u0b/mmstestu
>>   Login shell: /bin/bash
>>   Principal name: mmstestu at SDCC.BNL.GOV
>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>   Kerberos principal expiration: 20690301145828Z
>>   Email address: smithj4 at example.com
>>   UID: 7041
>>   GID: 9965
>>   SSH public key fingerprint:
>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>   User authentication types: otp, password
>>   Account disabled: False
>>   Password: True
>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>   Member of HBAC rule: mktst1
>>   Kerberos keys available: True
>>
>> Krb log on IPA server shows following:
>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
>> pre-authentication required
>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
>> password in encrypted challenge
>>
>> /var/log/secure log on KeyCloak server:
>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
>> user=mmstestu
>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> received for user mmstestu: 17 (Failure setting user credentials)
>>
>> In ../log/server.log on KeyCloak server:
>> 2019-03-14 16:24:36,844 ERROR
>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>> failed : Permission denied
>>     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>     at
>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>     at
>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>     at
>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>     at
>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>     at
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>     at
>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>     at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>     at
>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>     at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>     at
>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>     at
>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>     at
>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>     at
>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>     at
>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>     at
>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>     at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>>     at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>     at java.lang.reflect.Method.invoke(Method.java:508)
>>     at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
>> Source)
>>     at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>     at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>     at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>     at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
>> Source)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
>> Source)
>>     at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>     at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>     at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>     at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>     at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>     at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>     at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>     at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>     at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>     at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>     at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>     at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>     at
>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>     at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>     at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>     at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>     at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>     at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>     at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>     at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>     at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>     at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>     at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>     at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>     at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>     at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>     at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>     at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>     at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>     at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>     at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>     at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>     at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>     at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
>> Source)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>> Source)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>     at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>     at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>     at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>     at
>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>     at
>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>     at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>     at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>     at java.lang.Thread.run(Thread.java:812)
>>
>> Then if I remove the 'password' option and leaves 'otp' only for the
>> user, KeyCloak does actually authenticate fine (password + QRCode combined
>> with no space): Following are logs when it successes:
>>
>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
>> ------------------------
>> Modified user "mmstestu"
>> ------------------------
>>   User login: mmstestu
>>   First name: Test
>>   Last name: 55555
>>   Home directory: /u0b/mmstestu
>>   Login shell: /bin/bash
>>   Principal name: mmstestu at SDCC.BNL.GOV
>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>   Kerberos principal expiration: 20690301145828Z
>>   Email address: smithj4 at example.com
>>   UID: 7041
>>   GID: 9965
>>   SSH public key fingerprint:
>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>   User authentication types: otp
>>   Account disabled: False
>>   Password: True
>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>   Member of HBAC rule: mktst1
>>   Kerberos keys available: True
>>
>> In KRB log on IPA server:
>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 etypes
>> {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime 1552595337,
>> etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for krbtgt/
>> SDCC.BNL.GOV at SDCC.BNL.GOV
>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
>>
>> In /var/log/secure on KeyCloak server:
>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
>> user=mmstestu
>>
>> Please advice.
>> Thanks.
>> Mizuki
>>
>>
>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> Hi Mizuki,
>>>
>>> In the scenario you described Keycloak just relies on PAM to
>>> authenticate the user.  What I'd do before configure Keycloak is to try
>>> dbus-send and pamtester, just to make sure that my setup works.
>>>
>>> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
>>> pamtester does not authenticate your user, there's a chance that
>>> something is wrong with your setup. Certainly worth to review our
>>> docs[1].
>>>
>>> [1] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>>>
>>> On 2019-03-05, mizuki wrote:
>>> > Hi,
>>> >
>>> > We are currently evaluating keycloak as a possible authentication
>>> mechanism
>>> > deployed to our facility.
>>> > We use kerberos for user authentication with FreeIPA and configured
>>> sssd
>>> > for user federation in keycloak (follow the official document both from
>>> > keycloak and freeipa.org)
>>> > One of the requirement we desire is to enable kerboros password for SSH
>>> > login and enabled 'otp' for HTTP based applications.
>>> >
>>> > To do so,
>>> > 1. We enabled both user-auth-types for the user:
>>> > - password
>>> > - password + otp
>>> >
>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
>>> following
>>> > services: (I purposely did not enable 'otp' at this point as I want to
>>> > verify both 'password' and 'otp' shall work)
>>> > - keycloak
>>> > - sshd
>>> >
>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
>>> PAM/SSSD,
>>> > then I went ahead and accessed URL that is protected by keycloak,
>>> > 'password' works but 'otp' won't, the following ERRORs were seen in
>>> > keycloak's server.log:
>>> > -----------
>>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
>>> > error=invalid_user_credentials, auth_method=openid-connect,
>>> auth_type=code,
>>> > redirect_uri=https://www.example.com/secure/
>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
>>> > 2019-03-04 17:01:43,033 ERROR
>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>> > failed : Permission denied
>>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>> >     at
>>> >
>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>> >
>>> >     at
>>> >
>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>> >
>>> >     at
>>> >
>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>> >
>>> >     at
>>> >
>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>> >
>>> >     at
>>> >
>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>> >
>>> >     at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>> >
>>> >     at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>> >
>>> >     at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>> >
>>> >     at
>>> >
>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>> >
>>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>>> >     at
>>> >
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>> >
>>> >     at java.lang.reflect.Method.invoke(Method.java:508)
>>> >     at
>>> >
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >
>>> >     at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >
>>> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >
>>> >     at
>>> >
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>> >
>>> >     at
>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> >
>>> >     at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> >
>>> >     at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> >     at
>>> >
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> >
>>> >     at
>>> >
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> >
>>> >     at
>>> >
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> >
>>> >     at
>>> >
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> >
>>> >     at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> >
>>> >     at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>> >
>>> >     at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>> >
>>> >     at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>> > Source)
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >
>>> >     at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>> >
>>> >     at
>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>> >     at
>>> >
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>> >     at
>>> >
>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>> >
>>> >     at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>> >
>>> >     at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>> >
>>> >     at
>>> >
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>> >
>>> >     at java.lang.Thread.run(Thread.java:812)
>>> > ------------------
>>> >
>>> > Interesting thing is keycloak handles OTP just fine if I have
>>> > 'password+otp' only checked on,  then we won't be able to log onto the
>>> > machines via SSH using password, that defeats our purposes.
>>> >
>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
>>> version
>>> > (on REHL 7), all got the same results.
>>> > I'm wondering if this is more likely a bug or I missed something.
>>> > I'd appreciate if someone can advice what the approach is.
>>> >
>>> > Thank you very much.
>>> >
>>> > Mizuki
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>>
>>> abstractj
>>>
>>

From testoauth55 at gmail.com  Fri Mar 15 03:03:20 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Fri, 15 Mar 2019 12:33:20 +0530
Subject: [keycloak-user] Restrict max number of users in a realm
Message-ID: <CANAVTmOmtF58YLSvWU_+KWSeeXN6_K=FwADk9CUUMST6D2c5MA@mail.gmail.com>

Is it possible to restrict number of users creation in a realm to say 500 ,
1000 etc?
Where can I find the config for the same?

From mposolda at redhat.com  Fri Mar 15 04:31:33 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 15 Mar 2019 09:31:33 +0100
Subject: [keycloak-user] Deprecating/Removing keycloak-servlet-oauth-client
Message-ID: <ae8999d2-f225-63cb-f5d1-d62a6951d2f1@redhat.com>

We plan to deprecate and then eventually remove 
keycloak-servlet-oauth-client.? We don't officially support this client 
(it is not documented and tested) and it is additional maintenance 
overhead to have it in our codebase. Is someone around, who uses this 
client? Do you want to become a maintainer of it? If yes, let us know. 
You can fork it to your repository and we will reference it from the 
"Extensions" page [1].

Some more details about the client:

AFAIR it is one of the very early-days keycloak features and the 
use-case behind this was, that you have web frontend java application, 
which is not secured by Keycloak and doesn't use adapter. But you still 
want to have a way to invoke the REST services from this application, 
which are secured by Keycloak. So you want to trigger the OAuth flow 
manually from the Java without having the adapter to do it for you - 
that's what this client is doing.

I think that this client can be almost always replaced by adapter or by 
the servlet filter. The only case when it couldn't be replaced by 
servlet filter is, when you have non-servlet java application.

This OAuth client is unmaintained and it is missing lot of features, 
which were recently added to the adapter.

[1] https://www.keycloak.org/extensions.html

Marek


From vramik at redhat.com  Fri Mar 15 04:45:35 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 15 Mar 2019 09:45:35 +0100
Subject: [keycloak-user] Mariadb driver version
In-Reply-To: <1727719425.5549273.1552583606299@mail.yahoo.com>
References: <1727719425.5549273.1552583606299.ref@mail.yahoo.com>
	<1727719425.5549273.1552583606299@mail.yahoo.com>
Message-ID: <9a5e0b83-e2ff-c84c-8b6f-51a076cc5de9@redhat.com>

Hey Andrew,

we use 2.2.4 currently [1]

V.

[1] 
https://mvnrepository.com/artifact/org.mariadb.jdbc/mariadb-java-client/2.2.4

On 3/14/19 6:13 PM, Andrew Meyer wrote:
> What mariadb Java driver version should I use when using mariadb 10.1.x as the server??
>
> Sent from Yahoo Mail on Android
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jyoti.tech90 at gmail.com  Fri Mar 15 05:06:42 2019
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Fri, 15 Mar 2019 14:36:42 +0530
Subject: [keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests Spec
Message-ID: <CA+37Sd7jjCQASOHJxX_xLh=7xCDez7AFZPoY9zUy3S8NibepYQ@mail.gmail.com>

Hi Team,

We are seeing slight difference in SAML logout request (specifically
*<samlp:SessionIndex>
*tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
sample logout response for the same.

If you notice the highlighted section, you can see *SessionIndex *value in
Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
separated by " *::* ", I am willing to know the significance of this
separation.

It seems that some of the SAML Service Provider is not able to recognize
this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
during Base64 decoding of LogoutRequest * error*.*  Please suggest your
thoughts on this.

Kindly let me know for any further clarification on this.

*#SAML Logout Request for Keycloak 3.1.0 :-*

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_d3b2da60-3206-4d3f-9596-9d67427ffa5a"
IssueInstant="2019-03-15T07:51:25.547Z" Version="2.0">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxxxx/auth/realms/XXXXX
    </saml:Issuer>
    <samlp:Extensions>
        <kckey:KeyInfo
            xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="LxW4jzZXu92jXUeZF9-CSmp0vUMajPpPsVU0RabB4Mk"/>
    </samlp:Extensions>
    <saml:NameID
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx at xxx.com
    </saml:NameID>

*<samlp:SessionIndex>4d0ad6ad-370a-4a3a-b6ef-eaaaed06dad3</samlp:SessionIndex>*
</samlp:LogoutRequest>

*#SAML Logout Request for Keycloak 3.4.3 :-*

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_9d769896-1798-4e66-acef-263b0270bb19"
IssueInstant="2019-03-15T07:59:32.178Z" Version="2.0">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxx/auth/realms/XXXXX
    </saml:Issuer>
    <samlp:Extensions>
        <kckey:KeyInfo
            xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="HyaGrSnYhspOs2ZZj1vUX5EufQIa4-uh3mBL8FCl7oc"/>
    </samlp:Extensions>
    <saml:NameID
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
xxxx at xxx.com
        </saml:NameID>
  *
<samlp:SessionIndex>28d53802-0174-49e7-b6d7-ed16fdf6e909::c665a382-6583-470f-92d5-e91861edc86a</samlp:SessionIndex>*
</samlp:LogoutRequest>



-- 

*With Regards, Jyoti Kumar Singh*

From alexander.loesel at pmcinformatik.ch  Fri Mar 15 05:44:12 2019
From: alexander.loesel at pmcinformatik.ch (=?iso-8859-1?Q?L=F6sel_Alexander?=)
Date: Fri, 15 Mar 2019 09:44:12 +0000
Subject: [keycloak-user] Clarification about Kerberos Credential Delegation
Message-ID: <cd2cbd3c71ee4fa7968844888def4e4f@xchsrv07.2013.xchangeonline.ch>

Hi all,

I'm absolutely new to OAuth. I just read the docs about Kerberos (https://www.keycloak.org/docs/3.2/server_admin/topics/authentication/kerberos.html) and I am not sure if I understand correctly. Is it possible to own a service that receives a request from an keycloak-authenticated-user (from the ActiveDirectory-Provider) and do an AD-Impersonation?

Thanks for your help and regards,
Alex

From benjamin.huskic at thequalitygate.com  Fri Mar 15 07:10:42 2019
From: benjamin.huskic at thequalitygate.com (Benjamin Huskic)
Date: Fri, 15 Mar 2019 11:10:42 +0000
Subject: [keycloak-user] Docker Image for Keycloak 5.0.0
In-Reply-To: <42C816E8-0F59-408E-8559-9D14C66D4324@n-k.de>
References: <9617B195-4C2D-490C-BD63-74A78A3ECC6C@contoso.com>
	<42C816E8-0F59-408E-8559-9D14C66D4324@n-k.de>
Message-ID: <VI1PR05MB518103DFA5698ACBCBCDC9129F440@VI1PR05MB5181.eurprd05.prod.outlook.com>

Dear Niko,

Thanks for the info ?

Cheers,
Ben


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Niko K?bler
Sent: Friday, 15 March 2019 02:41
To: Chris Savory <chris.savory at edlogics.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Docker Image for Keycloak 5.0.0

Docker images from 5.x up are now on quay.io See this thread: http://lists.jboss.org/pipermail/keycloak-user/2019-March/017452.html

- Niko


> Am 14.03.2019 um 23:27 schrieb Chris Savory <chris.savory at edlogics.com>:
> 
> I'm getting the following build error when I try to build a docker 
> container using keycloak 5.0.0
> 
> build	14-Mar-2019 21:35:54	Sending build context to Docker daemon  6.952MB
> build	14-Mar-2019 21:35:54	
> build	14-Mar-2019 21:35:54	Step 1/20 : FROM jboss/keycloak:5.0.0
> error	14-Mar-2019 21:35:54	manifest for jboss/keycloak:5.0.0 not found
> 
> When I go to https://hub.docker.com/r/jboss/keycloak/tags, I do not see 5.0.0 listed there.  When should we expect it?
> 
> -Chris
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From fateh.alchhabi at gmail.com  Fri Mar 15 08:13:57 2019
From: fateh.alchhabi at gmail.com (Fateh)
Date: Fri, 15 Mar 2019 05:13:57 -0700 (MST)
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
Message-ID: <1552652037840-0.post@n6.nabble.com>

Problem: I have a user with Client Roles realm-management in a realm called
xx which
contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API  
and I don't want all the operation to stop until we update the user password
when the password policy triggered 

Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm 


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From msakho at redhat.com  Fri Mar 15 08:29:39 2019
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Fri, 15 Mar 2019 13:29:39 +0100
Subject: [keycloak-user] Monitoring Keycloak
In-Reply-To: <A09128F2-18BB-4998-BF85-D7831EDA5CF2@n-k.de>
References: <23F0D559-6F56-48C6-B604-D9C640ABDAED@n-k.de>
	<34458456-c182-0bd6-796f-6d302ef13578@redhat.com>
	<A09128F2-18BB-4998-BF85-D7831EDA5CF2@n-k.de>
Message-ID: <CAF83W6+baQ1Ca2KwN=9fa+z8_uYsZR7t7hHM7An-tfsX4qUi9g@mail.gmail.com>

You can also implement you're own if you don't want to wait for the native
API.
https://github.com/jmesnil/wildfly-microprofile-health

MEISSA SAKHO

ARCHITECT EMEA TECH SPECIALIST

Red Hat  <https://www.redhat.com/>

M: +33 (0) 6 9559 7778
<https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>


Le jeu. 14 mars 2019 ? 14:12, Niko K?bler <niko at n-k.de> a ?crit :

> Thanks, Sebastian and Vlasta,
>
> sounds both good to me, especially the SmallRye extension and that
> Wildfly/Keycloak will get a "native" API for that.
>
> JMX is always an option, I know, but due to the lack of JMX experience,
> one tries to avoid it where one is able to avoid it. ;)
>
> - Niko
>
>
> > Am 14.03.2019 um 10:11 schrieb Schuster Sebastian (INST-CSS/BSV-OS2) <
> Sebastian.Schuster at bosch-si.com>:
> >
> > Hi Niko,
> >
> > For Metrics, we use the JMX exporter (
> https://github.com/prometheus/jmx_exporter) to push stuff into Prometheus
> and use Grafana to view it.
>
> > Am 14.03.2019 um 12:07 schrieb Vlasta Ramik <vramik at redhat.com>:
> >
> > Hey Niko,
> >
> > just FYI with upcoming upgrade to Wildfly 16 we plan to enable SmallRye
> Health and Metrics extensions [1]
> >
> > [1] https://issues.jboss.org/browse/KEYCLOAK-9708
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fateh.alchhabi at gmail.com  Fri Mar 15 08:55:25 2019
From: fateh.alchhabi at gmail.com (Fateh)
Date: Fri, 15 Mar 2019 05:55:25 -0700 (MST)
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
Message-ID: <1552654525112-0.post@n6.nabble.com>

Problem: I have a user with Client Roles realm-management in a realm called
xx which contains password policy. 
I want to exclude this user from the password policy since this user 
responsible to fetch the roles, users and do some updates via Java API   
and I don't want all the operation to stop until we update the user password 
when the password policy triggered 

Ps. I tried to use the admin user from the master realms I could n't get 
data out of the master realm 


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From fateh.alchhabi at gmail.com  Fri Mar 15 09:06:11 2019
From: fateh.alchhabi at gmail.com (Fateh)
Date: Fri, 15 Mar 2019 06:06:11 -0700 (MST)
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
Message-ID: <1552655171731-0.post@n6.nabble.com>

 I have a user with Client Roles realm-management in a realm called xx which
contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API  
and I don't want all the operation to stop until we update the user password
when the password policy triggered 

Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm 


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From firozpalapra at outlook.com  Fri Mar 15 09:11:06 2019
From: firozpalapra at outlook.com (Firoz Ahamed)
Date: Fri, 15 Mar 2019 13:11:06 +0000
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
In-Reply-To: <1552654525112-0.post@n6.nabble.com>
References: <1552654525112-0.post@n6.nabble.com>
Message-ID: <HK0PR02MB3202049532C4789BBC135FB0CB440@HK0PR02MB3202.apcprd02.prod.outlook.com>

Hi,



You could create a new user in the master realm and assign the Realm management roles for the specific realm using the Role Mappings tab -> Client Role  . In order to manage the other realm, get the token for the newly created user from the master realm and then send that token in your API calls.



The ability to assign realm management for other realms is only available for users in the master realm.



Hope this helps.



Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10



________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Fateh <fateh.alchhabi at gmail.com>
Sent: Friday, March 15, 2019 6:25:25 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Problem: I have a user with Client Roles realm-management in a realm called
xx which contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered

Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From jdennis at redhat.com  Fri Mar 15 09:14:51 2019
From: jdennis at redhat.com (John Dennis)
Date: Fri, 15 Mar 2019 09:14:51 -0400
Subject: [keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests
 Spec
In-Reply-To: <CA+37Sd7jjCQASOHJxX_xLh=7xCDez7AFZPoY9zUy3S8NibepYQ@mail.gmail.com>
References: <CA+37Sd7jjCQASOHJxX_xLh=7xCDez7AFZPoY9zUy3S8NibepYQ@mail.gmail.com>
Message-ID: <87cd08fa-4a5b-a7fb-a49a-5a54958cad6b@redhat.com>

On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
> Hi Team,
> 
> We are seeing slight difference in SAML logout request (specifically
> *<samlp:SessionIndex>
> *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
> sample logout response for the same.
> 
> If you notice the highlighted section, you can see *SessionIndex *value in
> Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
> separated by " *::* ", I am willing to know the significance of this
> separation.
> 
> It seems that some of the SAML Service Provider is not able to recognize
> this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
> during Base64 decoding of LogoutRequest * error*.*  Please suggest your
> thoughts on this.
> 
> Kindly let me know for any further clarification on this.

The SAML Core specification defines the type of a SessionIndex as a 
string. There are no restrictions on the content of the string. There 
are some recommendations regarding the string content with respect to 
privacy. Hence session participants should treat the SessionIndex as an 
opaque identifier.

If an SP is generating an error because of the presence of some 
combination of characters in the opaque identifier it would be SP 
implementation issue.

I have no idea why base64 decoding would be relevant in this context.


-- 
John Dennis

From greetrobijns at gmail.com  Fri Mar 15 09:26:18 2019
From: greetrobijns at gmail.com (Greet Robijns)
Date: Fri, 15 Mar 2019 14:26:18 +0100
Subject: [keycloak-user] node adapter
Message-ID: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>

Hi all,

I followed the instructions on
https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter
to add a keycloak to my express server.

my routes are handled by react on the client side.

However I only get "access denied" and no redirection to the authentication
page?

My configuration:

var session = require("express-session");
var Keycloak = require("keycloak-connect");
connectWithRetry();
var memoryStore = new session.MemoryStore();
let kcConfig = {
    realm: "Marketing Console",
    url: "http://localhost:8080/auth",
    clientId: "marketing_console",
    "bearer-only": true,
    "ssl-required": "none",
    "enable-cors": true,
    "public-client": true
};

app.use(
    session({
        secret: "mySecret",
        resave: false,
        saveUninitialized: true,
        store: memoryStore
    })
);

let keycloak = new Keycloak({ store: memoryStore }, kcConfig);

app.get("/", keycloak.protect());


Kind Regards
Greet Robijns

From andrewm659 at yahoo.com  Fri Mar 15 09:35:23 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 15 Mar 2019 13:35:23 +0000 (UTC)
Subject: [keycloak-user] Mariadb driver version
In-Reply-To: <9a5e0b83-e2ff-c84c-8b6f-51a076cc5de9@redhat.com>
References: <1727719425.5549273.1552583606299.ref@mail.yahoo.com>
	<1727719425.5549273.1552583606299@mail.yahoo.com>
	<9a5e0b83-e2ff-c84c-8b6f-51a076cc5de9@redhat.com>
Message-ID: <1455448609.6013794.1552656923052@mail.yahoo.com>

So I have 5.1.47 and that is giving me trouble.

Sent from Yahoo Mail on Android 
 
  On Fri, Mar 15, 2019 at 3:45 AM, Vlasta Ramik<vramik at redhat.com> wrote:   Hey Andrew,

we use 2.2.4 currently [1]

V.

[1] 
https://mvnrepository.com/artifact/org.mariadb.jdbc/mariadb-java-client/2.2.4

On 3/14/19 6:13 PM, Andrew Meyer wrote:
> What mariadb Java driver version should I use when using mariadb 10.1.x as the server??
>
> Sent from Yahoo Mail on Android
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
  

From jyoti.tech90 at gmail.com  Fri Mar 15 09:41:47 2019
From: jyoti.tech90 at gmail.com (Jyoti Kumar Singh)
Date: Fri, 15 Mar 2019 19:11:47 +0530
Subject: [keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests
	Spec
In-Reply-To: <87cd08fa-4a5b-a7fb-a49a-5a54958cad6b@redhat.com>
References: <CA+37Sd7jjCQASOHJxX_xLh=7xCDez7AFZPoY9zUy3S8NibepYQ@mail.gmail.com>
	<87cd08fa-4a5b-a7fb-a49a-5a54958cad6b@redhat.com>
Message-ID: <CA+37Sd4t3eS9hzubBjhYbm7drsBVLJ1UHXaXL8+KZaS5=hx-HA@mail.gmail.com>

Hi John,

Thank you very much for your reply.

Yes it looks little irrelevant with respect to base64 decoding but when I
compared SAML logout response produced by Keycloak 3.1.0 and Keycloak
3.4.3, I see only difference with SessionIndex value.

Interestingly, SAML logout works fine at SP with Keycloak 3.1.0 but getting
base64 decode error only with Keycloak 3.4.3, hence I mailed regarding this.

I am also checking with SP support team to know why this error occurred. In
case, I need some other information from your side, I will mail you back.

Thanks again for your help.


On Fri, 15 Mar 2019, 18:44 John Dennis, <jdennis at redhat.com> wrote:

> On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
> > Hi Team,
> >
> > We are seeing slight difference in SAML logout request (specifically
> > *<samlp:SessionIndex>
> > *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
> > sample logout response for the same.
> >
> > If you notice the highlighted section, you can see *SessionIndex *value
> in
> > Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3
> is
> > separated by " *::* ", I am willing to know the significance of this
> > separation.
> >
> > It seems that some of the SAML Service Provider is not able to recognize
> > this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing
> *Error
> > during Base64 decoding of LogoutRequest * error*.*  Please suggest your
> > thoughts on this.
> >
> > Kindly let me know for any further clarification on this.
>
> The SAML Core specification defines the type of a SessionIndex as a
> string. There are no restrictions on the content of the string. There
> are some recommendations regarding the string content with respect to
> privacy. Hence session participants should treat the SessionIndex as an
> opaque identifier.
>
> If an SP is generating an error because of the presence of some
> combination of characters in the opaque identifier it would be SP
> implementation issue.
>
> I have no idea why base64 decoding would be relevant in this context.
>
>
> --
> John Dennis
>

From vikram.eswar at fleetroute.com  Fri Mar 15 10:02:02 2019
From: vikram.eswar at fleetroute.com (Vikram)
Date: Fri, 15 Mar 2019 15:02:02 +0100
Subject: [keycloak-user] Listing users with a specific role and group
 through the admin client on springboot
Message-ID: <f80e1800-d171-325f-1211-5124cf6706ad@fleetroute.com>

Hi all,

Versions in use:
      
      Springboot version : 2.1.3 FINAL

     ?Keycloak version : 4.8.2

      Springboot adapter version: 4.8.3 FINAL

      Keycloak admin client 4.8.2 FINAL

So I am trying to get all the users that have a role "customer" and
belong to a group "group1".

I am using the following code.

RoleResource roleResource = realmResource.roles().get("customer");
Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();

for (UserRepresentation user: customers) {
   ??? ? if (user.getGroups().contains("group1") { //error
   ??? ??? ? System.out.println("group customer: " + user.getUsername());
             groupCustomers.add(user);
   ??? ?? }
}

However, I get an error when I loop through the user representations to
read the group names. I do not get the group and roles information. I
get the username, first name and last name though.. Is it a permission
issue ? How can I get around it ?

Regards,
Vikram


From au.direction at gmail.com  Fri Mar 15 10:07:10 2019
From: au.direction at gmail.com (=?UTF-8?B?0JDQvdC00YDQtdC5INCj0YjQsNC60L7Qsg==?=)
Date: Fri, 15 Mar 2019 16:07:10 +0200
Subject: [keycloak-user] Terms and conditions on the registration page
Message-ID: <CAO8o4NZ8THdd0qTZyzePALia9NraZfzdyeTk3O91o8Gn3c-8uA@mail.gmail.com>

Hi, keycloak has a "terms and conditions" feature, but it appears only on
the next page after registration. Is there a way to make it on the
registration page as a checkbox using admin panel?

If no, will security be impacted if I do it programmatically via js and
editing register.ftl?

From j9dy1g at gmail.com  Fri Mar 15 10:56:51 2019
From: j9dy1g at gmail.com (Jody H)
Date: Fri, 15 Mar 2019 15:56:51 +0100
Subject: [keycloak-user] Keycloak to Keycloak identity brokering fails with
 "No access_token from server"
Message-ID: <CADqF5bdQia99ZzxKyJTEoMyOMuNSDKWgZpC_RSzDHLhTQMXtHw@mail.gmail.com>

Hi,

we have a keycloak instance up and running which we want to use for
identity brokering (
https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker)
with another keycloak instance.

We use the keycloak to keycloak identity broker method, which is offered in
the admin dashboard of keycloak. After configuring the required fields and
setting the authentication method for the browser flow to redirect to our
"keycloak identity broker", we get an exception in the server logs of the
"consuming keycloak":

14:38:09,312 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-52) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.

	at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:476)

	at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:344)

	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:422)

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


I have described the problem more in-depth in this JIRA ticket:
https://issues.jboss.org/browse/KEYCLOAK-9829

Has someone set up keycloak to keycloak identity brokering before?
Am I missing some configuration in the client settings within my "keycloak
identity broker"?

Thanks
Jody

From manuel.waltschek at prisma-solutions.at  Fri Mar 15 11:10:31 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Fri, 15 Mar 2019 15:10:31 +0000
Subject: [keycloak-user] keycloak saml idp redirect to specific url
Message-ID: <793ee593565f4219aa7ae56a5bd43725@EXMBX24.SFP-Net.skyfillers.local>

Hello KC community,

I am trying to configure my saml client of a brokered IdP. I want to redirect to a specific url after login so I tried to configure

Root URL  = https://myhost.bla/myapp
Valid Redirect URIs = https://myhost.bla/myapp/myurl
Base URL = myurl

But it always redirects me to https://myhost.bla/myapp after successful login.

Can you please tell me what each of them really do?

regards

[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190315/9da1fae4/attachment.png 

From manuel.waltschek at prisma-solutions.at  Fri Mar 15 11:19:10 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Fri, 15 Mar 2019 15:19:10 +0000
Subject: [keycloak-user] saml idp broker logout
Message-ID: <66573657ef10426e872b5d2f734c7f15@EXMBX24.SFP-Net.skyfillers.local>

Hello KC community,

I try to implement logout with SAML by doing Httprequest.logout() as documented in KC docs, but it seems that I keep the session cookie and nothing happens.
Any workarounds for this?

regards

[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190315/f70de684/attachment-0001.png 

From Sebastian.Schuster at bosch-si.com  Fri Mar 15 11:58:33 2019
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS2))
Date: Fri, 15 Mar 2019 15:58:33 +0000
Subject: [keycloak-user] Keycloak to Keycloak identity brokering fails
 with "No access_token from server"
In-Reply-To: <CADqF5bdQia99ZzxKyJTEoMyOMuNSDKWgZpC_RSzDHLhTQMXtHw@mail.gmail.com>
References: <CADqF5bdQia99ZzxKyJTEoMyOMuNSDKWgZpC_RSzDHLhTQMXtHw@mail.gmail.com>
Message-ID: <2a275f3110ff49aaa936389990917aa8@bosch-si.com>

I recently had this issue, reason being that the client secret for the external identity provider was wrong... Maybe you have got the same problem. The error message is a bit misleading.

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

Dr.-Ing. Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS2) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic 



-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Jody H
Gesendet: Freitag, 15. M?rz 2019 15:57
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Keycloak to Keycloak identity brokering fails with "No access_token from server"

Hi,

we have a keycloak instance up and running which we want to use for identity brokering (
https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker)
with another keycloak instance.

We use the keycloak to keycloak identity broker method, which is offered in the admin dashboard of keycloak. After configuring the required fields and setting the authentication method for the browser flow to redirect to our "keycloak identity broker", we get an exception in the server logs of the "consuming keycloak":

14:38:09,312 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-52) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.

	at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:476)

	at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:344)

	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:422)

	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


I have described the problem more in-depth in this JIRA ticket:
https://issues.jboss.org/browse/KEYCLOAK-9829

Has someone set up keycloak to keycloak identity brokering before?
Am I missing some configuration in the client settings within my "keycloak identity broker"?

Thanks
Jody
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From andrewm659 at yahoo.com  Fri Mar 15 14:17:32 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 15 Mar 2019 18:17:32 +0000 (UTC)
Subject: [keycloak-user] Mariadb driver version
In-Reply-To: <1455448609.6013794.1552656923052@mail.yahoo.com>
References: <1727719425.5549273.1552583606299.ref@mail.yahoo.com>
	<1727719425.5549273.1552583606299@mail.yahoo.com>
	<9a5e0b83-e2ff-c84c-8b6f-51a076cc5de9@redhat.com>
	<1455448609.6013794.1552656923052@mail.yahoo.com>
Message-ID: <1222506259.6161837.1552673852169@mail.yahoo.com>

 I take that back.? It's still throwing an error when I run this as a service.
I am trying 5.0.0 now.
Mar 15 13:15:12 saml01 standalone.sh: Caused by: java.lang.RuntimeException: Failed to connect to databaseMar 15 13:15:12 saml01 standalone.sh: Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException]Mar 15 13:15:12 saml01 standalone.sh: Caused by: java.lang.IllegalStateException"}}


I am using mysql-java-connector-5.1.47 but open to changing this.
    On Friday, March 15, 2019, 8:35:23 AM CDT, Andrew Meyer <andrewm659 at yahoo.com> wrote:  
 
 So I have 5.1.47 and that is giving me trouble.

Sent from Yahoo Mail on Android 
 
  On Fri, Mar 15, 2019 at 3:45 AM, Vlasta Ramik<vramik at redhat.com> wrote:   Hey Andrew,

we use 2.2.4 currently [1]

V.

[1] 
https://mvnrepository.com/artifact/org.mariadb.jdbc/mariadb-java-client/2.2.4

On 3/14/19 6:13 PM, Andrew Meyer wrote:
> What mariadb Java driver version should I use when using mariadb 10.1.x as the server??
>
> Sent from Yahoo Mail on Android
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
  
  

From niko at n-k.de  Sat Mar 16 11:30:40 2019
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Sat, 16 Mar 2019 16:30:40 +0100
Subject: [keycloak-user] Best practice for getting roles for all users
In-Reply-To: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>
References: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>
Message-ID: <8311B21E-D25D-476B-B744-2F2D9965731D@n-k.de>

Hi Ben,

I don't know any built-in possibility to achieve this with Keycloak.

Depending on the amount of roles, you could do "reverse" lookup and query all roles for their users. Then you have to re-sort the results to get all roles for each user.

Second option could be to write a custom REST endpoint with a custom database query for exactly these informations.
Would be more efficient than multiple queries over the API, but is prone to database changes (although they might be unlikely, imo). So you would have to track changes.

Cheers,
- Niko


> Am 11.03.2019 um 16:32 schrieb Benjamin Huskic <benjamin.huskic at thequalitygate.com>:
> 
> Hello everybody,
> 
> I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented.
> 
> I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient.
> 
> Thank you in advance
> Kind regards,
> Benjamin
> 
> 
> 
> 
> [cid:image001.png at 01D4D841.19FC8380]
> 
> Benjamin Huski?
> Founder & Solution Director
> 
> mobile: +971-5444-9-4664
> email: benjamin.huskic at thequalitygate.com<mailto:benjamin.huskic at thequalitygate.com>
> web: http://www.thequalitygate.com<http://www.thequalitygate.com/>
> 
> 
> 
> <image001.png>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From benjamin.huskic at thequalitygate.com  Sat Mar 16 11:37:11 2019
From: benjamin.huskic at thequalitygate.com (Benjamin Huskic)
Date: Sat, 16 Mar 2019 15:37:11 +0000
Subject: [keycloak-user] Best practice for getting roles for all users
In-Reply-To: <8311B21E-D25D-476B-B744-2F2D9965731D@n-k.de>
References: <VI1PR05MB518174AB68C1D5E5ADC552749F480@VI1PR05MB5181.eurprd05.prod.outlook.com>
	<8311B21E-D25D-476B-B744-2F2D9965731D@n-k.de>
Message-ID: <VI1PR05MB5181995F97E3D1273ACE7AF29F450@VI1PR05MB5181.eurprd05.prod.outlook.com>

Hi Niko,

Thanks for the update. We were thinking of something similar, and good to know that there is in fact no efficient option.

Cheers,
Ben


-----Original Message-----
From: Niko K?bler <niko at n-k.de> 
Sent: Saturday, 16 March 2019 19:31
To: Benjamin Huskic <benjamin.huskic at thequalitygate.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Best practice for getting roles for all users

Hi Ben,

I don't know any built-in possibility to achieve this with Keycloak.

Depending on the amount of roles, you could do "reverse" lookup and query all roles for their users. Then you have to re-sort the results to get all roles for each user.

Second option could be to write a custom REST endpoint with a custom database query for exactly these informations.
Would be more efficient than multiple queries over the API, but is prone to database changes (although they might be unlikely, imo). So you would have to track changes.

Cheers,
- Niko


> Am 11.03.2019 um 16:32 schrieb Benjamin Huskic <benjamin.huskic at thequalitygate.com>:
> 
> Hello everybody,
> 
> I need to query a list of all users with their roles in our application. I would like to avoid calling for every user (~10000) the GET /auth/admin/realms/{realm}/users/{user-uuid}/role-mappings/realm. The GET /auth/admin/realms/{realm}/users unfortunately does not provide the roles. I have read the API documentation and tried to find out any recommendation on the web, but I didn't find any. The only thing I found was a feature request which might help to lower the calls: https://issues.jboss.org/browse/KEYCLOAK-2035 but it seems that this feature was not implemented.
> 
> I would like to know if there is a best practice for getting roles for all the users because calling a million times the role-mapping is very inefficient.
> 
> Thank you in advance
> Kind regards,
> Benjamin
> 
> 
> 
> 
> [cid:image001.png at 01D4D841.19FC8380]
> 
> Benjamin Huski?
> Founder & Solution Director
> 
> mobile: +971-5444-9-4664
> email: benjamin.huskic at thequalitygate.com<mailto:benjamin.huskic at thequalitygate.com>
> web: http://www.thequalitygate.com<http://www.thequalitygate.com/>
> 
> 
> 
> <image001.png>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From e.orbons at speakup.nl  Sun Mar 17 05:50:31 2019
From: e.orbons at speakup.nl (Erik Orbons)
Date: Sun, 17 Mar 2019 09:50:31 +0000
Subject: [keycloak-user] Account linking as a required login action
Message-ID: <5920c8b9c01b46e0bdf3ac3d7f9d352e@speakup.nl>

Hello,

I'm facing difficulties implementing a specific requirement using Keycloak. Since searches on the topic also came up empty I'm hoping someone could shed some insight into how I can approach the following situation:

We have a Keycloak realm containing user accounts that can access several clients also within the same realm, all pretty standard. This realm also has a federated identity provider (using OpenID Connect) which can be linked to the local accounts and for which external claims are mapped to local user attributes.

One of our client applications requires the attributes from the external identity provider to be present, which may not be the case if the user hasn't set up the account link yet (through explicit linking or brokered login). Also from a strategic point of view we want to encourage users to log in using their local accounts instead of the external accounts (we're using this construction as a first step to migrate away from the external IDP).

Now I'm tasked with the challenge to come up with a login flow that after a normal local login (form+OTP) checks if the link to the external account is present and if not, present the user with the choice to set up the link there and then as part of the login flow. I've tried:

- Implementing a custom authenticator that checks if the IDP link is present. Combined with the IDP redirector authenticator I'm able to force a login at the external IDP. After being redirected back to Keycloak the user enters the first broker login flow, however any kind of customization there doesn't seem to allow me to link the external account to the existing local account without re-authentication (which doesn't make sense from a user point of view because he or she just logged in to the local account).
- It occurred to me that a required action might be a more suitable solution, however Keycloak doesn't appear to offer such functionality out of the box and so far I've come up blank as to how to implement this specific use case as a required action.

As for my questions:

1) What would be the best way to approach this specific use case using Keycloak? Or perhaps there's a good reason why I should avoid this situation that I haven't spotted yet?
2) Assuming customization is required: could someone share some pointers as to how to implement the account linking as a required login step? I've implemented my fair share of required actions and authenticators, so I'm familiar with the basics.

Thank you, any insights are greatly appreciated!
     
Regards,

Erik
 
    

From todd at toddmancini.com  Sun Mar 17 20:28:21 2019
From: todd at toddmancini.com (Todd A. Mancini)
Date: Mon, 18 Mar 2019 00:28:21 +0000
Subject: [keycloak-user] How can I get Keycloak to send an HTTPS Redirect
 URI to GitHub rather than HTTP?
Message-ID: <MWHPR01MB326218F58785806BDBE45EC6DA470@MWHPR01MB3262.prod.exchangelabs.com>

Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've got a GitHub identity provider and all is working well except for one thing. My Keycloak server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I look at the GitHub Identity Provider, it shows http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at https://example.com, even though it, too, is actually only running HTTP and the rev proxy is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy forwards all traffic to https://example.com/auth to http://keycloak/auth.)

The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP, not HTTPS.

It is correctly getting the new host name (e.g. it becomes http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains that it's not the right redirect url, because on GitHub I've set it to https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect to HTTPS, but, by that point, the damage has been done.)

So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on the Realm login settings, but that did not seem to impact the generation of the Redirect URI.

                Many thanks!
                -Todd

From vramik at redhat.com  Mon Mar 18 03:27:50 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Mon, 18 Mar 2019 08:27:50 +0100
Subject: [keycloak-user] Mariadb driver version
In-Reply-To: <1222506259.6161837.1552673852169@mail.yahoo.com>
References: <1727719425.5549273.1552583606299.ref@mail.yahoo.com>
	<1727719425.5549273.1552583606299@mail.yahoo.com>
	<9a5e0b83-e2ff-c84c-8b6f-51a076cc5de9@redhat.com>
	<1455448609.6013794.1552656923052@mail.yahoo.com>
	<1222506259.6161837.1552673852169@mail.yahoo.com>
Message-ID: <32abb95b-4a6e-f11d-b030-76e4fbd0a592@redhat.com>

I'm not familiar with details how mysql-java-connector and 
mariadb-java-client differs in details but I think for mariadb you 
should use mariadb-java-client.

On 3/15/19 7:17 PM, Andrew Meyer wrote:
> I take that back.? It's still throwing an error when I run this as a 
> service.
>
> I am trying 5.0.0 now.
>
> Mar 15 13:15:12 saml01 standalone.sh: Caused by: 
> java.lang.RuntimeException: Failed to connect to database
> Mar 15 13:15:12 saml01 standalone.sh: Caused by: 
> javax.naming.NameNotFoundException: datasources/KeycloakDS [Root 
> exception is java.lang.IllegalStateException]
> Mar 15 13:15:12 saml01 standalone.sh: Caused by: 
> java.lang.IllegalStateException"}}
>
>
>
> I am using mysql-java-connector-5.1.47 but open to changing this.
>
> On Friday, March 15, 2019, 8:35:23 AM CDT, Andrew Meyer 
> <andrewm659 at yahoo.com> wrote:
>
>
> So I have 5.1.47 and that is giving me trouble.
>
> Sent from Yahoo Mail on Android 
> <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature>
>
>     On Fri, Mar 15, 2019 at 3:45 AM, Vlasta Ramik
>     <vramik at redhat.com> wrote:
>     Hey Andrew,
>
>     we use 2.2.4 currently [1]
>
>     V.
>
>     [1]
>     https://mvnrepository.com/artifact/org.mariadb.jdbc/mariadb-java-client/2.2.4
>
>     On 3/14/19 6:13 PM, Andrew Meyer wrote:
>     > What mariadb Java driver version should I use when using mariadb
>     10.1.x as the server??
>     >
>     > Sent from Yahoo Mail on Android
>
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From wugang.bi at samsung.com  Mon Mar 18 04:29:39 2019
From: wugang.bi at samsung.com (=?UTF-8?B?5q+V5Yqh5Yia?=)
Date: Mon, 18 Mar 2019 17:29:39 +0900
Subject: [keycloak-user] keycloak-gatekeeper test with
 example-usage-and-configuration, but fail
References: <CGME20190318082939epcms5p4b2ac33b8c54a86b54a28ef94831dd7e6@epcms5p4>
Message-ID: <20190318082939epcms5p4b2ac33b8c54a86b54a28ef94831dd7e6@epcms5p4>

A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 33527 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190318/07346543/attachment-0001.png 

From uo67113 at gmail.com  Mon Mar 18 06:29:11 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 18 Mar 2019 11:29:11 +0100
Subject: [keycloak-user] How to deploy new keycloak.json
In-Reply-To: <CA+usoRK0OP1OBB2cOR+5GRBB0Kbyhro1O9JKe08HyLwQuE8jFA@mail.gmail.com>
References: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
	<20190313190839.GA31505@abstractj.org>
	<CACp70MnvPpQhrsQhDL_riDZ-vLjqMTh5-UUOFdufN3iG1C-_XA@mail.gmail.com>
	<CA+usoRK0OP1OBB2cOR+5GRBB0Kbyhro1O9JKe08HyLwQuE8jFA@mail.gmail.com>
Message-ID: <CACp70MkLzxfeAEpDr6ugY9xbcS60d3LKEBppgh4JkxKVUGhymA@mail.gmail.com>

Hello Paras,

As you mentioned "standalone mode" I immediately thought in the keycloak
server [1]. However having a look at your link I've realized that you must
be trying to secure your application. That json file is the adapter config
(keycloak.json) that by default is in the WEB-INF folder of your war
application.

Hope it helps,

Luis

[1]
https://www.keycloak.org/docs/latest/server_installation/index.html#_standalone-mode
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-adapters








El jue., 14 mar. 2019 a las 16:00, Paras Jain (<pjain at rivetlogic.com>)
escribi?:

> Thanks for your responses Luis and Bruno. I have started looking at
> quickstart in more details yesterday and they are helpful. Just to give a
> little more background to my specific problem. We are using Keycloak for
> last 2-3 months. We are running it successfully in standalone mode. Right
> now we are facing a CORS issue and to resolve that CORS issue I need to
> place updated keycloak.json somewhere, but I don't know where. I have
> downloaded the file from admin console as mentioned in
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> and made necessary modifications. I don't know how to apply it. That is my
> immediate challenge.
> ------------------------------
> Paras Jain
> rivetlogic <http://www.rivetlogic.com/>
> Voice +1.703.879.3097
> Skype paras.jain_rivetlogic
> GTalk pjain at rivetlogic.com
> Calendar paras jain's calendar
> <http://www.google.com/calendar/hosted/rivetlogic.com/embed?src=pjain%40rivetlogic.com&ctz=America/New_York>
>
>
> On Thu, Mar 14, 2019 at 6:38 AM Luis Rodr?guez Fern?ndez <
> uo67113 at gmail.com> wrote:
>
>> Hello Paras,
>>
>> Yes, definitely quickstarts and latest documentation are good places to
>> start.
>>
>> There is also a keycloak docker image [1]. Just creating the admin user
>> and
>> adding your json should be enough for you:
>> docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD<PASSWORD> \
>>  -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v
>> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak
>>
>> As well you can run it from sources using maven [2]:
>>
>> mvn -f keycloak/testsuite/utils/pom.xml exec:java -Pkeycloak-server
>> -Dimport=/tmp/example-realm.json
>>
>> Hope it helps,
>>
>> Luis
>>
>> [1] https://hub.docker.com/r/jboss/keycloak/
>> [2]
>>
>> https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2018-12-testing-web-applications-sso-keycloak
>>
>>
>> El mi?., 13 mar. 2019 a las 20:16, Bruno Oliveira (<bruno at abstractj.org>)
>> escribi?:
>>
>> > Hi Paras, I'd suggest to look at the quickstarts. They may provide some
>> > guidance https://github.com/keycloak/keycloak-quickstarts.
>> >
>> > Also, the latest docs are here:
>> > https://www.keycloak.org/documentation.html
>> >
>> >
>> > On 2019-03-13, Paras Jain wrote:
>> > > Hi,
>> > >
>> > > I am running keycloak in standalone mode. As per
>> > >
>> >
>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
>> > > I have copied the client config from admin console and created a
>> > > keycloak.json. But I don't know where to put this file for it to take
>> > > effect. Is there any documentation for that?
>> > >
>> > > --
>> > > CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the
>> > sole
>> > > use of the intended recipient(s) and may contain confidential and
>> > > privileged information or otherwise be protected by law. Any
>> > unauthorized
>> > > review, use, disclosure or distribution is prohibited. If you are not
>> > the
>> > > intended recipient, please contact the sender and destroy all copies
>> and
>> > > the original message.
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> > --
>> >
>> > abstractj
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>>
>> --
>>
>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>
>> - Samuel Beckett
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies and the original message.
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From sylvain.malnuit at lyra-network.com  Mon Mar 18 06:44:14 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Mon, 18 Mar 2019 11:44:14 +0100 (CET)
Subject: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
Message-ID: <001401d4dd77$873e70d0$95bb5270$@lyra-network.com>

Hi,

 

Using  Keycloak , it's possible to declare client like a service account .
Client secret becomes API key.

In my case, I'm going to generate 10 clients (10 API keys).

 

I have tried to use Keycloak-gatekeeper to cover this use case but GK
support only one client.

In my case, I 'm understanding that I must create 10 instances of GT :(.

 

Is there a way to associate  various client to one instance of GT
(different paths .) ?

 

Thxs for your help.

 

Regards, 

Sylvain 

 


From todd at toddmancini.com  Mon Mar 18 07:18:56 2019
From: todd at toddmancini.com (Todd A. Mancini)
Date: Mon, 18 Mar 2019 11:18:56 +0000
Subject: [keycloak-user] How can I get Keycloak to send an HTTPS
 Redirect URI to GitHub rather than HTTP?
In-Reply-To: <MWHPR01MB326218F58785806BDBE45EC6DA470@MWHPR01MB3262.prod.exchangelabs.com>
References: <MWHPR01MB326218F58785806BDBE45EC6DA470@MWHPR01MB3262.prod.exchangelabs.com>
Message-ID: <BN6PR01MB324900F069B5C976DC55C720DA470@BN6PR01MB3249.prod.exchangelabs.com>

Figured it out -- needed to set PROXY_ADDRESS_FORWARDING to true on my Keycloak container.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Todd A. Mancini
Sent: Sunday, March 17, 2019 8:28 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] How can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP?

Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've got a GitHub identity provider and all is working well except for one thing. My Keycloak server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I look at the GitHub Identity Provider, it shows http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at https://example.com, even though it, too, is actually only running HTTP and the rev proxy is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy forwards all traffic to https://example.com/auth to http://keycloak/auth.)

The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP, not HTTPS.

It is correctly getting the new host name (e.g. it becomes http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains that it's not the right redirect url, because on GitHub I've set it to https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect to HTTPS, but, by that point, the damage has been done.)

So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on the Realm login settings, but that did not seem to impact the generation of the Redirect URI.

                Many thanks!
                -Todd
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From pjain at rivetlogic.com  Mon Mar 18 08:05:21 2019
From: pjain at rivetlogic.com (Paras Jain)
Date: Mon, 18 Mar 2019 08:05:21 -0400
Subject: [keycloak-user] How to deploy new keycloak.json
In-Reply-To: <CACp70MkLzxfeAEpDr6ugY9xbcS60d3LKEBppgh4JkxKVUGhymA@mail.gmail.com>
References: <CA+usoR+Zw5+xHdD1XhHV-P8GiD2_VUUa0q9omoTUK6OfXs2WEQ@mail.gmail.com>
	<20190313190839.GA31505@abstractj.org>
	<CACp70MnvPpQhrsQhDL_riDZ-vLjqMTh5-UUOFdufN3iG1C-_XA@mail.gmail.com>
	<CA+usoRK0OP1OBB2cOR+5GRBB0Kbyhro1O9JKe08HyLwQuE8jFA@mail.gmail.com>
	<CACp70MkLzxfeAEpDr6ugY9xbcS60d3LKEBppgh4JkxKVUGhymA@mail.gmail.com>
Message-ID: <CA+usoRKCTL5LFA6sYB27qSN-Z1K=ty7LXQG_2BGzgPcdryXo2A@mail.gmail.com>

Hi Luis,
Thanks, will try that.
------------------------------
Paras Jain
rivetlogic <http://www.rivetlogic.com/>
Voice +1.703.879.3097
Skype paras.jain_rivetlogic
GTalk pjain at rivetlogic.com
Calendar paras jain's calendar
<http://www.google.com/calendar/hosted/rivetlogic.com/embed?src=pjain%40rivetlogic.com&ctz=America/New_York>


On Mon, Mar 18, 2019 at 6:48 AM Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
wrote:

> Hello Paras,
>
> As you mentioned "standalone mode" I immediately thought in the keycloak
> server [1]. However having a look at your link I've realized that you must
> be trying to secure your application. That json file is the adapter config
> (keycloak.json) that by default is in the WEB-INF folder of your war
> application.
>
> Hope it helps,
>
> Luis
>
> [1]
>
> https://www.keycloak.org/docs/latest/server_installation/index.html#_standalone-mode
> [2]
> https://www.keycloak.org/docs/latest/securing_apps/index.html#java-adapters
>
>
>
>
>
>
>
>
> El jue., 14 mar. 2019 a las 16:00, Paras Jain (<pjain at rivetlogic.com>)
> escribi?:
>
> > Thanks for your responses Luis and Bruno. I have started looking at
> > quickstart in more details yesterday and they are helpful. Just to give a
> > little more background to my specific problem. We are using Keycloak for
> > last 2-3 months. We are running it successfully in standalone mode. Right
> > now we are facing a CORS issue and to resolve that CORS issue I need to
> > place updated keycloak.json somewhere, but I don't know where. I have
> > downloaded the file from admin console as mentioned in
> >
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> > and made necessary modifications. I don't know how to apply it. That is
> my
> > immediate challenge.
> > ------------------------------
> > Paras Jain
> > rivetlogic <http://www.rivetlogic.com/>
> > Voice +1.703.879.3097
> > Skype paras.jain_rivetlogic
> > GTalk pjain at rivetlogic.com
> > Calendar paras jain's calendar
> > <
> http://www.google.com/calendar/hosted/rivetlogic.com/embed?src=pjain%40rivetlogic.com&ctz=America/New_York
> >
> >
> >
> > On Thu, Mar 14, 2019 at 6:38 AM Luis Rodr?guez Fern?ndez <
> > uo67113 at gmail.com> wrote:
> >
> >> Hello Paras,
> >>
> >> Yes, definitely quickstarts and latest documentation are good places to
> >> start.
> >>
> >> There is also a keycloak docker image [1]. Just creating the admin user
> >> and
> >> adding your json should be enough for you:
> >> docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD<PASSWORD> \
> >>  -e KEYCLOAK_IMPORT=/tmp/example-realm.json -v
> >> /tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak
> >>
> >> As well you can run it from sources using maven [2]:
> >>
> >> mvn -f keycloak/testsuite/utils/pom.xml exec:java -Pkeycloak-server
> >> -Dimport=/tmp/example-realm.json
> >>
> >> Hope it helps,
> >>
> >> Luis
> >>
> >> [1] https://hub.docker.com/r/jboss/keycloak/
> >> [2]
> >>
> >>
> https://db-blog.web.cern.ch/blog/luis-rodriguez-fernandez/2018-12-testing-web-applications-sso-keycloak
> >>
> >>
> >> El mi?., 13 mar. 2019 a las 20:16, Bruno Oliveira (<bruno at abstractj.org
> >)
> >> escribi?:
> >>
> >> > Hi Paras, I'd suggest to look at the quickstarts. They may provide
> some
> >> > guidance https://github.com/keycloak/keycloak-quickstarts.
> >> >
> >> > Also, the latest docs are here:
> >> > https://www.keycloak.org/documentation.html
> >> >
> >> >
> >> > On 2019-03-13, Paras Jain wrote:
> >> > > Hi,
> >> > >
> >> > > I am running keycloak in standalone mode. As per
> >> > >
> >> >
> >>
> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-adapter-config.html
> >> > > I have copied the client config from admin console and created a
> >> > > keycloak.json. But I don't know where to put this file for it to
> take
> >> > > effect. Is there any documentation for that?
> >> > >
> >> > > --
> >> > > CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for
> the
> >> > sole
> >> > > use of the intended recipient(s) and may contain confidential and
> >> > > privileged information or otherwise be protected by law. Any
> >> > unauthorized
> >> > > review, use, disclosure or distribution is prohibited. If you are
> not
> >> > the
> >> > > intended recipient, please contact the sender and destroy all copies
> >> and
> >> > > the original message.
> >> > > _______________________________________________
> >> > > keycloak-user mailing list
> >> > > keycloak-user at lists.jboss.org
> >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> > --
> >> >
> >> > abstractj
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >>
> >>
> >> --
> >>
> >> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail
> better."
> >>
> >> - Samuel Beckett
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the
> sole use of the intended recipient(s) and may contain confidential and
> privileged information or otherwise be protected by law. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not the
> intended recipient, please contact the sender and destroy all copies and
> the original message.
> >
> >
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole 
use of the intended recipient(s) and may contain confidential and 
privileged information or otherwise be protected by law. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies and 
the original message.

From vikram.eswar at fleetroute.com  Mon Mar 18 08:19:27 2019
From: vikram.eswar at fleetroute.com (Vikram)
Date: Mon, 18 Mar 2019 13:19:27 +0100
Subject: [keycloak-user] Listing users with a specific role and group
 through the admin client on springboot
In-Reply-To: <f80e1800-d171-325f-1211-5124cf6706ad@fleetroute.com>
References: <f80e1800-d171-325f-1211-5124cf6706ad@fleetroute.com>
Message-ID: <5d11e8db-47d0-ab8d-a9e6-8631602597d8@fleetroute.com>

Does someone have anything on this ?

Regards,

Vikram

On 3/15/2019 3:02 PM, Vikram wrote:
> Hi all,
>
> Versions in use:
>        
>        Springboot version : 2.1.3 FINAL
>
>       ?Keycloak version : 4.8.2
>
>        Springboot adapter version: 4.8.3 FINAL
>
>        Keycloak admin client 4.8.2 FINAL
>
> So I am trying to get all the users that have a role "customer" and
> belong to a group "group1".
>
> I am using the following code.
>
> RoleResource roleResource = realmResource.roles().get("customer");
> Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
> ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();
>
> for (UserRepresentation user: customers) {
>     ??? ? if (user.getGroups().contains("group1") { //error
>     ??? ??? ? System.out.println("group customer: " + user.getUsername());
>               groupCustomers.add(user);
>     ??? ?? }
> }
>
> However, I get an error when I loop through the user representations to
> read the group names. I do not get the group and roles information. I
> get the username, first name and last name though.. Is it a permission
> issue ? How can I get around it ?
>
> Regards,
> Vikram
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From kkcmadhu at yahoo.com  Mon Mar 18 10:59:39 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 18 Mar 2019 14:59:39 +0000 (UTC)
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
Message-ID: <1843881857.6536483.1552921179719@mail.yahoo.com>

Hi ,
I am using keycloak 4.5.0.Final in one on my projects and? i have fairly large number of tenants (> 500).Off late i see frequently? lock acquisation related errors and timeout.

I am not able to figure out where and how this is origniating? can you please help?
My suspecion is? is this related to events logging? could this be because of farily large number of entrys in the audit/ events table?
Note the thread id?default task-19354 in the for event?REFRESH_TOKEN_ERROR and corresponding thread throwing?LockAcquisitionException
Regards,Madhu

2019-03-17 17:14:47,010 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress= xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:15:13,183 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:24:31,128 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:46:17,677 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:47:00,850 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 18:46:48,058 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) SQL Error: 1205, SQLState: 400012019-03-17 18:46:48,059 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) Lock wait timeout exceeded; try restarting transaction2019-03-17 18:46:48,059 INFO? [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-19354) HHH000010: On release of batch it still contained JDBC statements2019-03-17 18:46:48,077 WARN? [com.arjuna.ats.arjuna] (default task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de, org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16 >: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 81 moreCaused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066) at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 92 more
2019-03-17 18:46:48,558 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-19354) Uncaught server error: org.keycloak.models.ModelException: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31) at org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) ... 63 moreCaused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066) at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 92 more


From mposolda at redhat.com  Mon Mar 18 16:51:36 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 18 Mar 2019 21:51:36 +0100
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
In-Reply-To: <1843881857.6536483.1552921179719@mail.yahoo.com>
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
	<1843881857.6536483.1552921179719@mail.yahoo.com>
Message-ID: <aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>

Hi,

what exactly is "tenant" in your case? Is it client or realm?

We know that there are some issues with big number of those entities, so 
you will probably see issues with 500 or more realms/clients. Maybe it 
helps to increase count of max DB connections - both at the datasource 
level in standalone(-ha).xml and in the settings of your MySQL DB. But 
not really sure...

Marek

On 18/03/2019 15:59, Madhu wrote:
> Hi ,
>
> I am using keycloak 4.5.0.Final in one on my projects and? i have 
> fairly large number of tenants (> 500).
> Off late i see frequently? lock acquisation related errors and timeout.
>
>
> I am not able to figure out where and how this is origniating? can you 
> please help?
>
> My suspecion is? is this related to events logging? could this be 
> because of farily large number of entrys in the audit/ events table?
>
> Note the thread id default task-19354 in the for event 
> REFRESH_TOKEN_ERROR and corresponding thread throwing 
> LockAcquisitionException
>
> Regards,
> Madhu
>
>
> 2019-03-17 17:14:47,010 WARN? [org.keycloak.events] (default 
> task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, 
> clientId=null, userId=null, ipAddress= xx.yy.zz.aaa, 
> error=invalid_client_credentials, grant_type=refresh_token
> 2019-03-17 17:15:13,183 WARN? [org.keycloak.events] (default 
> task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, 
> clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, 
> error=invalid_client_credentials, grant_type=refresh_token
> 2019-03-17 17:24:31,128 WARN? [org.keycloak.events] (default 
> task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, 
> clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, 
> error=invalid_client_credentials, grant_type=refresh_token
> 2019-03-17 17:46:17,677 WARN? [org.keycloak.events] (default 
> task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, 
> clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, 
> error=invalid_client_credentials, grant_type=refresh_token
> 2019-03-17 17:47:00,850 WARN? [org.keycloak.events] (default 
> task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, 
> clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, 
> error=invalid_client_credentials, grant_type=refresh_token
> 2019-03-17 18:46:48,058 WARN 
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default 
> task-19354) SQL Error: 1205, SQLState: 40001
> 2019-03-17 18:46:48,059 ERROR 
> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default 
> task-19354) Lock wait timeout exceeded; try restarting transaction
> 2019-03-17 18:46:48,059 INFO 
> [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default 
> task-19354) HHH000010: On release of batch it still contained JDBC 
> statements
> 2019-03-17 18:46:48,077 WARN? [com.arjuna.ats.arjuna] (default 
> task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - 
> failed for SynchronizationImple< 
> 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de, 
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16 
> >: javax.persistence.PersistenceException: 
> org.hibernate.exception.LockAcquisitionException: could not execute 
> statement
> at 
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
> at 
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
> at 
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)
> at 
> org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235)
> at 
> org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163)
> at 
> org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)
> at 
> org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)
> at 
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
> at 
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
> at 
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
> at 
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
> at 
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)
> at 
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
> at 
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
> at 
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
> at 
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
> at 
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
> at 
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
> at 
> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
> at 
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
> at 
> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
> at 
> org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
> at 
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
> at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at 
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at 
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at 
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at 
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at 
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at 
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at 
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at 
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at 
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.hibernate.exception.LockAcquisitionException: could not 
> execute statement
> at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)
> at 
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
> at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
> at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
> at 
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
> at 
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
> at 
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)
> at 
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)
> at 
> org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
> at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)
> at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)
> at 
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
> at 
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)
> at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)
> at 
> org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)
> ... 81 more
> Caused by: 
> com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock 
> wait timeout exceeded; try restarting transaction
> at 
> com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)
> at 
> com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
> at 
> com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)
> at 
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
> at 
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
> ... 92 more
>
> 2019-03-17 18:46:48,558 ERROR 
> [org.keycloak.services.error.KeycloakErrorHandler] (default 
> task-19354) Uncaught server error: org.keycloak.models.ModelException: 
> org.hibernate.exception.LockAcquisitionException: could not execute 
> statement
> at 
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
> at 
> org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31)
> at 
> org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65)
> at 
> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)
> at 
> org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
> at 
> org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
> at 
> org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)
> at 
> org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
> at 
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
> at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at 
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at 
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at 
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at 
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at 
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at 
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at 
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at 
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at 
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.hibernate.exception.LockAcquisitionException: could not 
> execute statement
> at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)
> at 
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
> at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
> at 
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
> at 
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
> at 
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
> at 
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)
> at 
> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)
> at 
> org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
> at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)
> at 
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)
> at 
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
> at 
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)
> at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)
> at 
> org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)
> at 
> org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)
> at 
> org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)
> at 
> org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)
> at 
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
> at 
> org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
> at 
> org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
> at 
> com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
> at 
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)
> at 
> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
> at 
> com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
> at 
> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
> at 
> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
> at 
> org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
> at 
> org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
> at 
> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
> ... 63 more
> Caused by: 
> com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock 
> wait timeout exceeded; try restarting transaction
> at 
> com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)
> at 
> com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
> at 
> com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)
> at 
> com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)
> at 
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
> at 
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
> ... 92 more
>
>


From 4integration at gmail.com  Mon Mar 18 16:56:36 2019
From: 4integration at gmail.com (4integration at gmail.com)
Date: Mon, 18 Mar 2019 21:56:36 +0100
Subject: [keycloak-user] Swedish BankID with Keycloak?
Message-ID: <00a301d4ddcd$1407d9c0$3c178d40$@gmail.com>

Hi,

 

Anyone that have done integration with Swedish BankID and Keycloak?

 

We are looking for both authentication and signing using Swedish BankID.

 

Regards

Joacim 


From kkcmadhu at yahoo.com  Mon Mar 18 17:21:39 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 18 Mar 2019 21:21:39 +0000 (UTC)
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
In-Reply-To: <aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
	<1843881857.6536483.1552921179719@mail.yahoo.com>
	<aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>
Message-ID: <2089523369.6602846.1552944099743@mail.yahoo.com>

Realm is tenant in my case. I have more than 600 realms and each realm has about 6 clients (excluding what gets shipped by default). There are 2 realm roles and 2 to 3 client roles per client, I have a scriptmapper and 2 groups and about 10 users in each realm.My Max db connection is 30. Let me check that again try increasing it..
Madhu

Sent from Yahoo Mail on Android 
 
  On Tue, 19 Mar 2019 at 2:21 AM, Marek Posolda<mposolda at redhat.com> wrote:    Hi, 
  what exactly is "tenant" in your case? Is it client or realm? 
  We know that there are some issues with big number of those entities, so you will probably see issues with 500 or more realms/clients. Maybe it helps to increase count of max DB connections - both at the datasource level in standalone(-ha).xml and in the settings of your MySQL DB. But not really sure... 
  Marek 
  On 18/03/2019 15:59, Madhu wrote:
  
 
Hi , 
  I am using keycloak 4.5.0.Final in one on my projects and? i have fairly large number of tenants (> 500). Off late i see frequently? lock acquisation related errors and timeout. 
  
  I am not able to figure out where and how this is origniating? can you please help? 
  My suspecion is? is this related to events logging? could this be because of farily large number of entrys in the audit/ events table? 
  Note the thread id?default task-19354 in the for event?REFRESH_TOKEN_ERROR and corresponding thread throwing?LockAcquisitionException 
  Regards, Madhu 
  
   2019-03-17 17:14:47,010 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress= xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:15:13,183 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:24:31,128 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:46:17,677 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:47:00,850 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 18:46:48,058 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) SQL Error: 1205, SQLState: 40001 2019-03-17 18:46:48,059 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) Lock wait timeout exceeded; try restarting transaction 2019-03-17 18:46:48,059 INFO? [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-19354) HHH000010: On release of batch it still contained JDBC statements 2019-03-17 18:46:48,077 WARN? [com.arjuna.ats.arjuna] (default task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de,org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16 >: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)  atorg.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  ... 81 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  2019-03-17 18:46:48,558 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-19354) Uncaught server error: org.keycloak.models.ModelException: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)  atorg.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31)  atorg.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  ... 63 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  
  

 
   

From kkcmadhu at yahoo.com  Tue Mar 19 01:23:36 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Tue, 19 Mar 2019 05:23:36 +0000 (UTC)
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
In-Reply-To: <2089523369.6602846.1552944099743@mail.yahoo.com>
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
	<1843881857.6536483.1552921179719@mail.yahoo.com>
	<aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>
	<2089523369.6602846.1552944099743@mail.yahoo.com>
Message-ID: <24222316.6803825.1552973016192@mail.yahoo.com>

 
Hi Marek,
Thanks for quick response.
I double checked my connection pool settings, this is what i have configuredMin Pool Size:50Max Pool Size:100Flush Strategy:IdleConnectionsPool Fair:truePool Prefill:falsePool Use Strict Min:falseUse Fast Fail:false
Do you think i need to change this,? i donth think the system is starving for connections.. will dig more deep here and get back.

Madhu    On Tuesday, 19 March, 2019, 2:51:39 am IST, Madhu <kkcmadhu at yahoo.com> wrote:  
 
 Realm is tenant in my case. I have more than 600 realms and each realm has about 6 clients (excluding what gets shipped by default). There are 2 realm roles and 2 to 3 client roles per client, I have a scriptmapper and 2 groups and about 10 users in each realm.My Max db connection is 30. Let me check that again try increasing it..
Madhu

Sent from Yahoo Mail on Android 
 
  On Tue, 19 Mar 2019 at 2:21 AM, Marek Posolda<mposolda at redhat.com> wrote:    Hi, 
  what exactly is "tenant" in your case? Is it client or realm? 
  We know that there are some issues with big number of those entities, so you will probably see issues with 500 or more realms/clients. Maybe it helps to increase count of max DB connections - both at the datasource level in standalone(-ha).xml and in the settings of your MySQL DB. But not really sure... 
  Marek 
  On 18/03/2019 15:59, Madhu wrote:
  
 
Hi , 
  I am using keycloak 4.5.0.Final in one on my projects and? i have fairly large number of tenants (> 500). Off late i see frequently? lock acquisation related errors and timeout. 
  
  I am not able to figure out where and how this is origniating? can you please help? 
  My suspecion is? is this related to events logging? could this be because of farily large number of entrys in the audit/ events table? 
  Note the thread id?default task-19354 in the for event?REFRESH_TOKEN_ERROR and corresponding thread throwing?LockAcquisitionException 
  Regards, Madhu 
  
   2019-03-17 17:14:47,010 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress= xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:15:13,183 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:24:31,128 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:46:17,677 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:47:00,850 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 18:46:48,058 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) SQL Error: 1205, SQLState: 40001 2019-03-17 18:46:48,059 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) Lock wait timeout exceeded; try restarting transaction 2019-03-17 18:46:48,059 INFO? [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-19354) HHH000010: On release of batch it still contained JDBC statements 2019-03-17 18:46:48,077 WARN? [com.arjuna.ats.arjuna] (default task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de,org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16 >: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)  atorg.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  ... 81 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  2019-03-17 18:46:48,558 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-19354) Uncaught server error: org.keycloak.models.ModelException: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)  atorg.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31)  atorg.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  ... 63 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  
  

 
   
  

From niko at n-k.de  Tue Mar 19 01:41:16 2019
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 19 Mar 2019 06:41:16 +0100
Subject: [keycloak-user] Listing users with a specific role and group
 through the admin client on springboot
In-Reply-To: <5d11e8db-47d0-ab8d-a9e6-8631602597d8@fleetroute.com>
References: <f80e1800-d171-325f-1211-5124cf6706ad@fleetroute.com>
	<5d11e8db-47d0-ab8d-a9e6-8631602597d8@fleetroute.com>
Message-ID: <18CC0928-826A-4C93-AA46-E8A4282E248E@n-k.de>

Hi Vikram,

when getting a user list from keycloak, groups and roles are empty, that's normal behavior, not a bug.
If you want to get groups and roles for a user, you have to retrieve details for a single user from keycloak.
As this might become much api calls to the server, this is not a good solution in most scenarios.

In your case, I suggest to get also a list/set of users for the specific group you are looking for and then match the users in your role-set to the users of the group-set and use the intersection of both.

Regards,
- Niko



> Am 18.03.2019 um 13:19 schrieb Vikram <vikram.eswar at fleetroute.com>:
> 
> Does someone have anything on this ?
> 
> Regards,
> 
> Vikram
> 
> On 3/15/2019 3:02 PM, Vikram wrote:
>> Hi all,
>> 
>> Versions in use:
>> 
>>       Springboot version : 2.1.3 FINAL
>> 
>>       Keycloak version : 4.8.2
>> 
>>       Springboot adapter version: 4.8.3 FINAL
>> 
>>       Keycloak admin client 4.8.2 FINAL
>> 
>> So I am trying to get all the users that have a role "customer" and
>> belong to a group "group1".
>> 
>> I am using the following code.
>> 
>> RoleResource roleResource = realmResource.roles().get("customer");
>> Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
>> ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();
>> 
>> for (UserRepresentation user: customers) {
>>          if (user.getGroups().contains("group1") { //error
>>              System.out.println("group customer: " + user.getUsername());
>>              groupCustomers.add(user);
>>           }
>> }
>> 
>> However, I get an error when I loop through the user representations to
>> read the group names. I do not get the group and roles information. I
>> get the username, first name and last name though.. Is it a permission
>> issue ? How can I get around it ?
>> 
>> Regards,
>> Vikram
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sylvain.malnuit at lyra-network.com  Tue Mar 19 03:32:25 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Tue, 19 Mar 2019 08:32:25 +0100 (CET)
Subject: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
Message-ID: <000f01d4de25$e5c64700$b152d500$@lyra-network.com>

Hi,

 

Using  Keycloak , it's possible to declare client like a service account .
Client secret becomes API key.

In my case, I'm going to generate 10 clients (10 API keys).

 

I have tried to use Keycloak-gatekeeper to cover this use case but GK
support only one client.

In my case, I 'm understanding that I must create 10 instances of GT :(.

 

Is there a way to associate  various client to one instance of GT
(different paths .) ?

 

Thxs for your help.

 

Regards, 

Sylvain 

 


From mposolda at redhat.com  Tue Mar 19 04:33:43 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 19 Mar 2019 09:33:43 +0100
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
In-Reply-To: <24222316.6803825.1552973016192@mail.yahoo.com>
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
	<1843881857.6536483.1552921179719@mail.yahoo.com>
	<aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>
	<2089523369.6602846.1552944099743@mail.yahoo.com>
	<24222316.6803825.1552973016192@mail.yahoo.com>
Message-ID: <7b38b025-5cb7-d421-5760-3ca496809423@redhat.com>

Cool, it can help maybe. You will see... Another thing is, that we know 
that big number of realms is causing issues. There are some improvements 
planned, hopefully for this year.

Marek

On 19/03/2019 06:23, Madhu wrote:
>
> Hi Marek,
>
> Thanks for quick response.
>
> I double checked my connection pool settings, this is what i have 
> configured
> Min Pool Size:50
> Max Pool Size:100
> Flush Strategy:IdleConnections
> Pool Fair:true
> Pool Prefill:false
> Pool Use Strict Min:false
> Use Fast Fail:false
>
> Do you think i need to change this,? i donth think the system is 
> starving for connections.. will dig more deep here and get back.
>
>
> Madhu
> On Tuesday, 19 March, 2019, 2:51:39 am IST, Madhu <kkcmadhu at yahoo.com> 
> wrote:
>
>
> Realm is tenant in my case. I have more than 600 realms and each realm 
> has about 6 clients (excluding what gets shipped by default). There 
> are 2 realm roles and 2 to 3 client roles per client, I have a 
> scriptmapper and 2 groups and about 10 users in each realm.
> My Max db connection is 30. Let me check that again try increasing it..
> Madhu
>
> Sent from Yahoo Mail on Android 
> <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature>
>
>     On Tue, 19 Mar 2019 at 2:21 AM, Marek Posolda
>     <mposolda at redhat.com> wrote:
>     Hi,
>
>     what exactly is "tenant" in your case? Is it client or realm?
>
>     We know that there are some issues with big number of those
>     entities, so you will probably see issues with 500 or more
>     realms/clients. Maybe it helps to increase count of max DB
>     connections - both at the datasource level in standalone(-ha).xml
>     and in the settings of your MySQL DB. But not really sure...
>
>     Marek
>
>     On 18/03/2019 15:59, Madhu wrote:
>     Hi ,
>
>     I am using keycloak 4.5.0.Final in one on my projects and? i have
>     fairly large number of tenants (> 500).
>     Off late i see frequently? lock acquisation related errors and
>     timeout.
>
>
>     I am not able to figure out where and how this is origniating? can
>     you please help?
>
>     My suspecion is? is this related to events logging? could this be
>     because of farily large number of entrys in the audit/ events table?
>
>     Note the thread id default task-19354 in the for event
>     REFRESH_TOKEN_ERROR and corresponding thread throwing
>     LockAcquisitionException
>
>     Regards,
>     Madhu
>
>
>     2019-03-17 17:14:47,010 WARN [org.keycloak.events] (default
>     task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********,
>     clientId=null, userId=null, ipAddress= xx.yy.zz.aaa,
>     error=invalid_client_credentials, grant_type=refresh_token
>     2019-03-17 17:15:13,183 WARN [org.keycloak.events] (default
>     task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********,
>     clientId=null, userId=null, ipAddress=xx.yy.zz.aaa,
>     error=invalid_client_credentials, grant_type=refresh_token
>     2019-03-17 17:24:31,128 WARN [org.keycloak.events] (default
>     task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********,
>     clientId=null, userId=null, ipAddress=xx.yy.zz.aaa,
>     error=invalid_client_credentials, grant_type=refresh_token
>     2019-03-17 17:46:17,677 WARN [org.keycloak.events] (default
>     task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********,
>     clientId=null, userId=null, ipAddress=xx.yy.zz.aaa,
>     error=invalid_client_credentials, grant_type=refresh_token
>     2019-03-17 17:47:00,850 WARN [org.keycloak.events] (default
>     task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********,
>     clientId=null, userId=null, ipAddress=xx.yy.zz.aaa,
>     error=invalid_client_credentials, grant_type=refresh_token
>     2019-03-17 18:46:48,058 WARN
>     [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default
>     task-19354) SQL Error: 1205, SQLState: 40001
>     2019-03-17 18:46:48,059 ERROR
>     [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default
>     task-19354) Lock wait timeout exceeded; try restarting transaction
>     2019-03-17 18:46:48,059 INFO
>     [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl]
>     (default task-19354) HHH000010: On release of batch it still
>     contained JDBC statements
>     2019-03-17 18:46:48,077 WARN [com.arjuna.ats.arjuna] (default
>     task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion -
>     failed for SynchronizationImple<
>     0:ffffc0a803b1:-a9285f2:5bf97526:bb36de,
>     org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16
>     >: javax.persistence.PersistenceException:
>     org.hibernate.exception.LockAcquisitionException: could not
>     execute statement
>     at
>     org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
>     at
>     org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
>     at
>     org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)
>     at
>     org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235)
>     at
>     org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163)
>     at
>     org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)
>     at
>     org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)
>     at
>     org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
>     at
>     org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
>     at
>     org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
>     at
>     com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
>     at
>     com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)
>     at
>     com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
>     at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>     at
>     com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>     at
>     com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>     at
>     com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>     at
>     org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
>     at
>     org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>     at
>     org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
>     at
>     org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
>     at
>     org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
>     at
>     org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
>     at
>     org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
>     at
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>     at
>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>     at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>     at
>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>     at
>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>     at
>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>     at
>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>     at
>     io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>     at
>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>     at
>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>     at
>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>     at
>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>     at
>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>     at
>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>     at
>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>     at
>     io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>     at
>     io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>     at
>     io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>     at
>     org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>     at
>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>     at
>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>     at
>     org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>     at
>     org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>     at
>     org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>     at
>     org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>     at java.lang.Thread.run(Thread.java:748)
>     Caused by: org.hibernate.exception.LockAcquisitionException: could
>     not execute statement
>     at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)
>     at
>     org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
>     at
>     org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
>     at
>     org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
>     at
>     org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
>     at
>     org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
>     at
>     org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)
>     at
>     org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)
>     at
>     org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
>     at
>     org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)
>     at
>     org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)
>     at
>     org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
>     at
>     org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
>     at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)
>     at
>     org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)
>     at
>     org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)
>     ... 81 more
>     Caused by:
>     com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException:
>     Lock wait timeout exceeded; try restarting transaction
>     at
>     com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)
>     at
>     com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
>     at
>     com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)
>     at
>     org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
>     at
>     org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
>     ... 92 more
>
>     2019-03-17 18:46:48,558 ERROR
>     [org.keycloak.services.error.KeycloakErrorHandler] (default
>     task-19354) Uncaught server error:
>     org.keycloak.models.ModelException:
>     org.hibernate.exception.LockAcquisitionException: could not
>     execute statement
>     at
>     org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
>     at
>     org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31)
>     at
>     org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65)
>     at
>     org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)
>     at
>     org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
>     at
>     org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
>     at
>     org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)
>     at
>     org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
>     at
>     org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
>     at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
>     at
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>     at
>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>     at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>     at
>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>     at
>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>     at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>     at
>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>     at
>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>     at
>     io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>     at
>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>     at
>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>     at
>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>     at
>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>     at
>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>     at
>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>     at
>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>     at
>     io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>     at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>     at
>     io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>     at
>     io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>     at
>     org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>     at
>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>     at
>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>     at
>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>     at
>     org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>     at
>     org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>     at
>     org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>     at
>     org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>     at java.lang.Thread.run(Thread.java:748)
>     Caused by: org.hibernate.exception.LockAcquisitionException: could
>     not execute statement
>     at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)
>     at
>     org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
>     at
>     org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
>     at
>     org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
>     at
>     org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
>     at
>     org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
>     at
>     org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)
>     at
>     org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)
>     at
>     org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
>     at
>     org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)
>     at
>     org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)
>     at
>     org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
>     at
>     org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
>     at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)
>     at
>     org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)
>     at
>     org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)
>     at
>     org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)
>     at
>     org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)
>     at
>     org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)
>     at
>     org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
>     at
>     org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
>     at
>     org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
>     at
>     com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
>     at
>     com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)
>     at
>     com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
>     at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
>     at
>     com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)
>     at
>     com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
>     at
>     com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
>     at
>     org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
>     at
>     org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
>     at
>     org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)
>     ... 63 more
>     Caused by:
>     com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException:
>     Lock wait timeout exceeded; try restarting transaction
>     at
>     com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)
>     at
>     com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)
>     at
>     com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)
>     at
>     com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)
>     at
>     org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
>     at
>     org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
>     ... 92 more
>
>
>


From akhan at an10.io  Tue Mar 19 05:20:56 2019
From: akhan at an10.io (Adnan Khan)
Date: Tue, 19 Mar 2019 14:20:56 +0500
Subject: [keycloak-user] Javascript Adapter vs Node Adapter
Message-ID: <CANR-MMkMoYfN1RHG+x8eLnL1rdd03rLsMaVMJ3tMb_KQqNDSRw@mail.gmail.com>

Hi folks,

I'm a junior javascript developer and am looking into ways to implement SSO
using keycloak. My applications are javascript with backend rest node and
front-end vue. Before I go deeper into implementation I wanted to
understand why is there a javascript adapter and a node adapter as well. I
understand that the javascript adapter is client side and the node adapter
is server side. How do you authenticate a resource(end-point) from a
client-side adapter?

Another thing that's confusing me is keycloak.js, what is it? how is it
used and its pros and cons?

Thank you in anticipation and for bearing with the relatively noob
questions.

Regards,
Adnan A. Khan

From vikram.eswar at fleetroute.com  Tue Mar 19 05:27:19 2019
From: vikram.eswar at fleetroute.com (Vikram)
Date: Tue, 19 Mar 2019 10:27:19 +0100
Subject: [keycloak-user] Listing users with a specific role and group
 through the admin client on springboot
In-Reply-To: <18CC0928-826A-4C93-AA46-E8A4282E248E@n-k.de>
References: <f80e1800-d171-325f-1211-5124cf6706ad@fleetroute.com>
	<5d11e8db-47d0-ab8d-a9e6-8631602597d8@fleetroute.com>
	<18CC0928-826A-4C93-AA46-E8A4282E248E@n-k.de>
Message-ID: <a50645f0-9707-7f14-9c6e-b749f5b522a8@fleetroute.com>

Thanks Niko ! that is such a simple solution but I never thought about it :P

Regards,
Vikram


On 3/19/2019 6:41 AM, Niko K?bler wrote:
> Hi Vikram,
>
> when getting a user list from keycloak, groups and roles are empty, that's normal behavior, not a bug.
> If you want to get groups and roles for a user, you have to retrieve details for a single user from keycloak.
> As this might become much api calls to the server, this is not a good solution in most scenarios.
>
> In your case, I suggest to get also a list/set of users for the specific group you are looking for and then match the users in your role-set to the users of the group-set and use the intersection of both.
>
> Regards,
> - Niko
>
>
>
>> Am 18.03.2019 um 13:19 schrieb Vikram <vikram.eswar at fleetroute.com>:
>>
>> Does someone have anything on this ?
>>
>> Regards,
>>
>> Vikram
>>
>> On 3/15/2019 3:02 PM, Vikram wrote:
>>> Hi all,
>>>
>>> Versions in use:
>>>
>>>        Springboot version : 2.1.3 FINAL
>>>
>>>        Keycloak version : 4.8.2
>>>
>>>        Springboot adapter version: 4.8.3 FINAL
>>>
>>>        Keycloak admin client 4.8.2 FINAL
>>>
>>> So I am trying to get all the users that have a role "customer" and
>>> belong to a group "group1".
>>>
>>> I am using the following code.
>>>
>>> RoleResource roleResource = realmResource.roles().get("customer");
>>> Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
>>> ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();
>>>
>>> for (UserRepresentation user: customers) {
>>>           if (user.getGroups().contains("group1") { //error
>>>               System.out.println("group customer: " + user.getUsername());
>>>               groupCustomers.add(user);
>>>            }
>>> }
>>>
>>> However, I get an error when I loop through the user representations to
>>> read the group names. I do not get the group and roles information. I
>>> get the username, first name and last name though.. Is it a permission
>>> issue ? How can I get around it ?
>>>
>>> Regards,
>>> Vikram
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From kkcmadhu at yahoo.com  Tue Mar 19 05:59:30 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Tue, 19 Mar 2019 09:59:30 +0000 (UTC)
Subject: [keycloak-user] LockAcquisitionException and Lock wait timeout
 exceeded exception in events
In-Reply-To: <7b38b025-5cb7-d421-5760-3ca496809423@redhat.com>
References: <1843881857.6536483.1552921179719.ref@mail.yahoo.com>
	<1843881857.6536483.1552921179719@mail.yahoo.com>
	<aaf07e8b-8ea4-d735-1cf8-6b246e2cc492@redhat.com>
	<2089523369.6602846.1552944099743@mail.yahoo.com>
	<24222316.6803825.1552973016192@mail.yahoo.com>
	<7b38b025-5cb7-d421-5760-3ca496809423@redhat.com>
Message-ID: <2133181358.6987997.1552989571050@mail.yahoo.com>

 Nope, i Meant, i already have these settingMin Pool Size:50Max Pool Size:100Flush Strategy:IdleConnectionsPool Fair:truePool Prefill:falsePool Use Strict Min:falseUse Fast Fail:false
?and it did not help :(
    On Tuesday, 19 March, 2019, 2:03:48 pm IST, Marek Posolda <mposolda at redhat.com> wrote:  
 
  Cool, it can help maybe. You will see... Another thing is, that we know that big number of realms is causing issues. There are some improvements planned, hopefully for this year. 
  Marek 
  On 19/03/2019 06:23, Madhu wrote:
  
 
 
  Hi Marek, 
  Thanks for quick response. 
  I double checked my connection pool settings, this is what i have configured  Min Pool Size:50 Max Pool Size:100 Flush Strategy:IdleConnections Pool Fair:true Pool Prefill:false Pool Use Strict Min:false Use Fast Fail:false 
  Do you think i need to change this,? i donth think the system is starving for connections.. will dig more deep here and get back. 
  
  Madhu     On Tuesday, 19 March, 2019, 2:51:39 am IST, Madhu <kkcmadhu at yahoo.com> wrote:  
  
    Realm is tenant in my case. I have more than 600 realms and each realm has about 6 clients (excluding what gets shipped by default). There are 2 realm roles and 2 to 3 client roles per client, I have a scriptmapper and 2 groups and about 10 users in each realm. My Max db connection is 30. Let me check that again try increasing it..
 Madhu
 
 Sent from Yahoo Mail on Android 
  
  On Tue, 19 Mar 2019 at 2:21 AM, Marek Posolda <mposolda at redhat.com> wrote:     Hi, 
  what exactly is "tenant" in your case? Is it client or realm? 
  We know that there are some issues with big number of those entities, so you will probably see issues with 500 or more realms/clients. Maybe it helps to increase count of max DB connections -  both at the datasource level in standalone(-ha).xml and in the settings of your MySQL DB. But not really sure... 
  Marek 
   On 18/03/2019 15:59, Madhu wrote:
  
 
     Hi , 
  I am using keycloak 4.5.0.Final in one on my projects and? i have fairly large number of tenants (> 500). Off late i see frequently? lock acquisation related errors and timeout. 
  
  I am not able to figure out where and how this is origniating? can you please help? 
  My suspecion is? is this related to events logging? could this be because of farily large number of entrys in the audit/ events table? 
  Note the thread id?default task-19354 in the for event?REFRESH_TOKEN_ERROR and corresponding thread throwing?LockAcquisitionException 
  Regards, Madhu 
  
    2019-03-17 17:14:47,010 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress= xx.yy.zz.aaa,  error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:15:13,183 WARN? [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:24:31,128 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:46:17,677 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 17:47:00,850 WARN? [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token 2019-03-17 18:46:48,058 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) SQL Error: 1205, SQLState: 40001 2019-03-17 18:46:48,059 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) Lock wait timeout exceeded; try restarting transaction 2019-03-17 18:46:48,059 INFO? [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-19354) HHH000010: On release of batch it still contained JDBC statements 2019-03-17 18:46:48,077 WARN? [com.arjuna.ats.arjuna] (default task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de,org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 5ad70e16 >: javax.persistence.PersistenceException:org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)  atorg.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)  atorg.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  atcom.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  atjavax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  atio.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  atio.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  atio.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  atjava.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  atorg.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  atorg.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  ... 81 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  2019-03-17 18:46:48,558 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-19354) Uncaught server error: org.keycloak.models.ModelException:org.hibernate.exception.LockAcquisitionException: could not execute  statement  atorg.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)  atorg.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31)  atorg.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94)  atorg.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)  atorg.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)  atorg.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353)  atorg.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85)  atorg.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59)  atorg.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)  atorg.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)  atorg.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)  atorg.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)  atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)  atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)  atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)  atjavax.servlet.http.HttpServlet.service(HttpServlet.java:790)  atio.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)  atorg.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)  atio.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)  atio.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)  atio.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)  atio.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)  atio.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)  atio.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)  atorg.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)  atio.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)  atio.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)  atio.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)  atio.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)  atio.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)  atio.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atorg.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)  atio.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)  atio.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)  atio.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)  atio.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)  atio.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)  atio.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)  atorg.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)  atio.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)  atio.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)  atio.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)  atio.undertow.server.Connectors.executeRootHandler(Connectors.java:360)  atio.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)  atorg.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)  atorg.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)  atorg.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)  atjava.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement  atorg.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511)  atorg.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)  atorg.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)  atorg.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013)  atorg.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513)  atorg.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589)  atorg.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463)  atorg.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)  atorg.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)  atorg.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295)  atorg.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468)  atorg.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159)  atorg.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352)  atorg.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491)  atorg.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47)  atorg.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)  atorg.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)  atorg.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)  atcom.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368)  atcom.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)  atcom.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289)  atcom.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)  atcom.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)  atorg.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)  atorg.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)  atorg.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92)  ... 63 more Caused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121)  atcom.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95)  atcom.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396)  atcom.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051)  atorg.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)  atorg.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)  ... 92 more 
  
  

 
     
         

 
   

From kkcmadhu at yahoo.com  Tue Mar 19 06:20:13 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Tue, 19 Mar 2019 10:20:13 +0000 (UTC)
Subject: [keycloak-user] How to gracefully delete /clean up key-cloak with
 large number of realms
References: <1278154218.7023298.1552990813649.ref@mail.yahoo.com>
Message-ID: <1278154218.7023298.1552990813649@mail.yahoo.com>

Hi,
I am using keycloak 4.5.0.Final and 4.7.0.Final.I have about 600+ realms, and i am looking for a graceful way to delete realms from al ive system (without bringing down keycloak nodes)
I have a cluster set up(standalone-ha.xml), with 3 or 4 nodes and i use jdbc ping for cluster discovery.
I need to know, whats the safest way to delete/clean up realms in such a setup.
I tried deleting the tenants using a shell script, which? invokes? /opt/softwareag/keycloak-4.7.0.Final/bin/kcadm.sh delete realms/$realm_name in a loop.
The realm deletion is slow ( which is ok),,but mostly i see that the cluster node becomes un responsive after running this command, i see large? number of?
" Uncaught server error: javax.persistence.OptimisticLockException: org.hibernate.exception.LockAcquisitionException: could not execute statement"
exceptions.

The worst part of the problem is that the node does not go down completely and? is still part of the cluster but un-responsive. So any info cached in the node becomes inaccessible (user, realm token info mostly) and impacts the logon/login to a set of realms owned by this node? :(??
If i gracefully shutdown the node (manually) using jboss-cli , the node goes down and allows the other cluster nodes to rebalance.
But until i take manual action, this sick node remains part of the cluster and makes a part of realm/users totally un usable..
I tried doing the same with REST APIs instead of kcadm? and the effect is same (node becomes unresponsive and but does not leave cluster)
Any idea, how can i gracefully delete realms from a live system ,without bring down keycloak??

I am thinking of :a) bringing up a temporary node to cluster , run the delete command from there, and shutdown this node, but what i am not sure is , when i add another node, will rebalance cause a part of data which is already stored in existing cluster nodes to be transferred to this node, if yes, then clearly this solution will not work..
b) is there a way to bring another node in standalone mode and delete but that may cause dead lock, as the cluster is unware of this new node and does not coordinate (compete with it).
c) can i delete the unwanted realms directly from database and clean up the cache in all cluster nodes? will that? impact live traffic, if so how??

Regards,Madhu

From mehdi.chaabouni at gmail.com  Tue Mar 19 08:01:09 2019
From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi)
Date: Tue, 19 Mar 2019 08:01:09 -0400
Subject: [keycloak-user] User roles deleted after SSO idle session expires
Message-ID: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>

Hi,

This is our Keycloak setup:

   - Keycloak docker container 4.4.0.Final
   - Azure Active Directory (mapping groups to roles)
   - Keycloak client protocol: openid-connect
   - 3 optional client scopes


We noticed lately that users using the front-end application (angular) are
losing all roles after the SSO idle session expires.
This behaviour is also seen in the 4.8.3.Final version.
It seems that the Identity Provider Mappers are not triggered for some
reason and I can't dig any deeper nothing much is logged in the method
IdentityBrokerService.authenticated(BrokeredIdentityContext context).

Any ideas?
How can I run Keycloak form source?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: UserPresent_RolesDeleted.log
Type: text/x-log
Size: 21175 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190319/0cec3da5/attachment-0001.bin 

From fateh.alchhabi at gmail.com  Tue Mar 19 09:17:32 2019
From: fateh.alchhabi at gmail.com (Fateh)
Date: Tue, 19 Mar 2019 14:17:32 +0100
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
In-Reply-To: <HK0PR02MB3202049532C4789BBC135FB0CB440@HK0PR02MB3202.apcprd02.prod.outlook.com>
References: <1552654525112-0.post@n6.nabble.com>
	<HK0PR02MB3202049532C4789BBC135FB0CB440@HK0PR02MB3202.apcprd02.prod.outlook.com>
Message-ID: <CAD_RmQ5PFo1y0rqcVu5E0fEZvDq8zWfpz6KnihVSycXMHGLcDw@mail.gmail.com>

Hi Firoz

Thanks for the answer, but I could not achieve the expected result
First of all, I am using Keycloak-4.4.0.Final and I could not find  Role
Mappings tab  for the client

Here the steps I followed :

   - I went to Master realm create user *sysAdmin* then on the left from
   the user page >> Role Mapping >> Client Roles >> in the drop menu I found
   the client from the Master realm only but not from the other realms. So I
   assigned to  the master-realm all the roles inside
   - in the other realm I have a client with those values

<secure-deployment name="WAR MODULE NAME.war">
    <realm>Nosg-Realm</realm>
    <auth-server-url>http://localhost:8180/auth</auth-server-url>
    <ssl-required>EXTERNAL</ssl-required>
    <resource>whereoil-rest-api</resource>
    <credential
name="secret">4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx</credential>
    <use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>

   - I am using Java client to fetch all user and roles list via this code
   Keycloak keycloak = KeycloakBuilder.builder()
   .serverUrl("http://localhost:8180/auth")
   .realm("Nosg-Realm")
   .grantType(OAuth2Constants.PASSWORD)
   .clientId("whereoil-rest-api")
   .clientSecret(" 4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx  ")
   .username("sysadmin") //master Realm user
   .password("xxxxx")
   .build();

   RealmResource realmResource = keycloak.realm("Nosg-Realm");
   realmResource.users().search("User from Nosg-Realm");


I hope this could clarify it more



Best regards
Fateh Alchhabi


On Fri, Mar 15, 2019 at 2:11 PM Firoz Ahamed <firozpalapra at outlook.com>
wrote:

> Hi,
>
>
>
> You could create a new user in the master realm and assign the Realm
> management roles for the specific realm using the Role Mappings tab ->
> Client Role  . In order to manage the other realm, get the token for the
> newly created user from the master realm and then send that token in your
> API calls.
>
>
>
> The ability to assign realm management for other realms is only available
> for users in the master realm.
>
>
>
> Hope this helps.
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> ------------------------------
> *From:* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Fateh <
> fateh.alchhabi at gmail.com>
> *Sent:* Friday, March 15, 2019 6:25:25 PM
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] Exclude a user with realm-management role from
> keycloak's password policy
>
> Problem: I have a user with Client Roles realm-management in a realm called
> xx which contains password policy.
> I want to exclude this user from the password policy since this user
> responsible to fetch the roles, users and do some updates via Java API
> and I don't want all the operation to stop until we update the user
> password
> when the password policy triggered
>
> Ps. I tried to use the admin user from the master realms I could n't get
> data out of the master realm
>
>
> I would appreciate any Help or ideas?
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From manuel.waltschek at prisma-solutions.at  Tue Mar 19 10:32:28 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Tue, 19 Mar 2019 14:32:28 +0000
Subject: [keycloak-user] no nameid leads to npe in SAMLEndpoint.java
Message-ID: <a802b1efde174e8a8ab5ddde8c653a4a@EXMBX24.SFP-Net.skyfillers.local>

Hello,

I try to configure a kc-saml idp broker for an external IdP. The logout request from the external idp to the saml broker unfortunately does not contain NameID and therefore org.keycloak.dom.saml.v2.protocol.LogoutRequestType.getNameID() returns null in org.keycloak.broker.saml.SAMLEndpoint. This leads to a nullpointerexception to be thrown.

There is a requirement for us to support nameid-format:unspecified, since USERID is delivered via saml attribute. I configured this in IdP configuration, but it seems that settintg nameid-format to unspecified has no effect (does this also default to persistent?). Am I mixing up these things? Is there a workaround for this issue?

I hope anyone can help me or at least answer me this time. Regards,

[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190319/2063e5d3/attachment.png 

From jens.bissinger at coliquio.de  Tue Mar 19 10:50:13 2019
From: jens.bissinger at coliquio.de (Jens Bissinger)
Date: Tue, 19 Mar 2019 14:50:13 +0000
Subject: [keycloak-user] Keycloak cluster communication not working
 properly
In-Reply-To: <38414aa2-ea25-6da8-ba40-db29ecf9b41e@redhat.com>
References: <4342F4B8-BDCA-405F-AF58-7735F0B6558E@coliquio.de>
	<38414aa2-ea25-6da8-ba40-db29ecf9b41e@redhat.com>
Message-ID: <58DD55F6-D013-4C49-9E11-04CF5866CE24@coliquio.de>

Hey Vlasta,

thanks. I just created this ticket https://issues.jboss.org/browse/KEYCLOAK-9855

? Jens

On 14. Mar 2019, at 12:10, Vlasta Ramik <vramik at redhat.com<mailto:vramik at redhat.com>> wrote:

Hey Jens,

would you mind to create a ticket[1] for the issue, please?

[1] https://issues.jboss.org/projects/KEYCLOAK

On 3/13/19 2:38 PM, Jens Bissinger wrote:
Hi,

we have a keycloak instance running as docker container in our AWS ECS docker environment.

For single instance this setup works great, but we failed to enhance it with a second instance for HA.

Problem: We cannot authenticate in one of instances behind the load balancer as soon as we have more than one keycloak instance.

Cluster setup:

- Keycloak v5.0.0 (docker image quay.io/keycloak/keycloak:5.0.0<http://quay.io/keycloak/keycloak:5.0.0>)
- Containers are behind AWS ALB load balancers with round-robin but without sticky sessions (the latter is important for our setup)
- JGroups with JDBC_PING configured and instances properly add/remove themselve from the configured MySQL table
- Containers run on separete EC2 hosts, TCP communication between containers is possible (port 7600 exposed also on hosts)
- Cache owners for all distributed caches are set to 2 (we also tested with 1 but without any different results)

Startup logs from infinispan look fine:

- On startup we see log message that cluster nodes can discover each other
  "ISPN000094: Received new cluster view for channel ejb: [ip-10-129-2-31.eu<http://ip-10-129-2-31.eu>-central-1.compute.internal|1] (2) [ip-10-129-2-31.eu<http://ip-10-129-2-31.eu>-central-1.compute.internal, ip-10-129-2-54.eu<http://ip-10-129-2-54.eu>-central-1.compute.internal]"
- After that also infinispan rebalancing happens
  "[Context=offlineClientSessions] ISPN100010: Finished rebalance with members [ip-10-129-2-31.eu<http://ip-10-129-2-31.eu>-central-1.compute.internal, ip-10-129-2-54.eu<http://ip-10-129-2-54.eu>-central-1.compute.internal]?

Analysis (so far):

- The problem is obviously because authentication starts on node 1. Due to round robin authentication will be continued on node 2 and this fails because node 2 does not know about the authentication session started on node 1.
- According to the documentation there should be a lookup from node 2 in the cluster for started authentication session. Seems like this is not happening, but we cannot see any log related to this.
- Also regular sessions are not distributed in the cache. We tested this running only 1 node to do the authentication and then spinning up a second node and doing a fail-over to the new node. Afterwards the regular session was gone (we are logged out).

Thank you very much.

Regards
Jens Bissinger


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From chris.savory at edlogics.com  Tue Mar 19 12:15:30 2019
From: chris.savory at edlogics.com (Chris Savory)
Date: Tue, 19 Mar 2019 16:15:30 +0000
Subject: [keycloak-user] Trouble with Keycloak Cluster Mode and Service
	Accounts
Message-ID: <BE58723C-30FF-4BE6-9ADE-FBE3E7647B6A@contoso.com>

We are currently doing some load testing of our application.  I have Keycloak configured to run in Standalone Clustered mode.  We are running Keycloak 5 in docker containers on AWS ECS.  We are using JDBC_PING for jgroups.  I have Sticky Sessions enabled on the front end, so logins and token retrievals through our Angular app are working fine. 

The problem I am running into right now is that when I go to create users via the service account on our backend API the TokenManager (inside the keycloak-admin-client) has to refresh it's token every 5 minutes.  I see a lot of these errors in the logs:

23:04:03,349 WARN [org.keycloak.events] (default task-29) type=REFRESH_TOKEN_ERROR, realmId=platform, clientId=elrc, userId=b33ec381-4e8b-425e-81e2-c526859ec7f2, ipAddress=52.4.47.98, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9e6bf90c-aeba-4479-8d25-9b7b954bcb12, client_auth_method=client-secret

All this works fine when we use only one or two keycloaks in the cluster, but as soon as I try to scale to 3 or 4 keycloaks we see all kinds of errors trying refresh tokens.  I think this is because when our backend secret clients go to refresh their tokens, they do not have the session affinity to go back to the same keycloak instance where their token was originally generated, whereas front end users do get pinned to the same keycloak instance.  

Any ideas how I might solve this problem for our backend apis?  

--
Christopher Savory



From Page_Raymond at ne.bah.com  Tue Mar 19 12:21:59 2019
From: Page_Raymond at ne.bah.com (Page, Raymond (Techical Solutions ))
Date: Tue, 19 Mar 2019 16:21:59 +0000
Subject: [keycloak-user] Logging for X509 authentication flow
Message-ID: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>

I'm trying to get keycloak working with Wildfly authenticating clients directly by X.509 and then using the authentication flow in keycloak to translate that to a local user.


Unfortunately, it's not working and I'm not getting useful logging out of keycloak to determine what's wrong with my configuration. To debug, I need to know that undertow is passing the certificate successfully to keycloak, that keycloak's X509-form authentication is receiving the proper identity, the identity extracted from the certificate for authentication comparison, what it's being compared to (is the CN or DN being regexed and is it being compared to the keycloak custom attribute that I specified). What I get from enabling debug logging that's not jboss modules loads is:

18:59:38,702 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST, clientId=https://auth.test.local, userId=null, ipAddress=192.168.0.100, error=client_not_found


Can someone provide details on how to get debug logging for undertow and the X509-form-config authentication?


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com
raymond.c.page15.ctr at mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>

From pnalyvayko at agi.com  Tue Mar 19 13:40:37 2019
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Tue, 19 Mar 2019 17:40:37 +0000
Subject: [keycloak-user] Logging for X509 authentication flow
In-Reply-To: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>
References: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>
Message-ID: <BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>

Hey Raymond,

Edit standalone.xml and add the following configuration under <subsystem xmlns="urn:jboss:domain:logging:3.0">:

<logger category="org.keycloak.authentication.authenticators.x509">
                <level name="TRACE"/>
   </logger>
      <logger category="org.keycloak.services.x509">
                <level name="TRACE"/>
      </logger>

You will have to restart the service. Hope this helps

Cheers

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Logging for X509 authentication flow

I'm trying to get keycloak working with Wildfly authenticating clients directly by X.509 and then using the authentication flow in keycloak to translate that to a local user.


Unfortunately, it's not working and I'm not getting useful logging out of keycloak to determine what's wrong with my configuration. To debug, I need to know that undertow is passing the certificate successfully to keycloak, that keycloak's X509-form authentication is receiving the proper identity, the identity extracted from the certificate for authentication comparison, what it's being compared to (is the CN or DN being regexed and is it being compared to the keycloak custom attribute that I specified). What I get from enabling debug logging that's not jboss modules loads is:

18:59:38,702 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST, clientId=https://auth.test.local, userId=null, ipAddress=192.168.0.100, error=client_not_found


Can someone provide details on how to get debug logging for undertow and the X509-form-config authentication?


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com
raymond.c.page15.ctr at mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From David.Leonard at flexential.com  Tue Mar 19 15:19:07 2019
From: David.Leonard at flexential.com (David Leonard)
Date: Tue, 19 Mar 2019 19:19:07 +0000
Subject: [keycloak-user] Keycloak Forgot Password Auth Flow TOTP
Message-ID: <B4FE6BA5-B8A6-48E9-A397-34ED630707F6@flexential.com>

Hello Everyone,

I?m having an issue getting the Forgot Password Auth Flow to work the way I expect with OTP.

It seems I have 2 options, either I can either leave on Reset OTP and have the user reset it, or turn it off and create a backdoor to my OTP.

My preferred solution would be:

1. User has forgotten their password
2. User selects the forgot password link.
3. User enters their username or email.
4. User receives email from Keycloak.

Then either:
5. The user is required to enter their current OTP.
6. User changes their password

or

5. The changes their password
6. The user is asked to login with the new password and current OTP.

I don?t want a case where the user doesn?t have both their password and their OTP and able to authenticate.

For now I have completely disabled the Forgot Password flow, but if it is possible to make either of those work it would help dramatically. I don?t see in the Auth Flow how to add a OTP Form like is in the Browser flow.

Thanks!
David
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.


From Page_Raymond at ne.bah.com  Tue Mar 19 15:35:12 2019
From: Page_Raymond at ne.bah.com (Page, Raymond (Techical Solutions ))
Date: Tue, 19 Mar 2019 19:35:12 +0000
Subject: [keycloak-user] Logging for X509 authentication flow
In-Reply-To: <BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>
References: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>,
	<BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>
Message-ID: <DM6PR06MB540301B19A2076A82B7ED2D0D5400@DM6PR06MB5403.namprd06.prod.outlook.com>

I'm not sure if this makes a difference, but I have         <subsystem xmlns="urn:jboss:domain:logging:6.0"> not         <subsystem xmlns="urn:jboss:domain:logging:3.0">


I added the two new categories to the domain:logging:6.0, but I don't get any additional output. I'm speculating there might be an issue from undertow to keycloak, how do I log undertow?

________________________________
From: Nalyvayko, Peter <pnalyvayko at agi.com>
Sent: Tuesday, March 19, 2019 1:40:37 PM
To: Page, Raymond (Techical Solutions ); keycloak-user at lists.jboss.org
Subject: [External] RE: Logging for X509 authentication flow

Hey Raymond,

Edit standalone.xml and add the following configuration under <subsystem xmlns="urn:jboss:domain:logging:3.0">:

<logger category="org.keycloak.authentication.authenticators.x509">
                <level name="TRACE"/>
   </logger>
      <logger category="org.keycloak.services.x509">
                <level name="TRACE"/>
      </logger>

You will have to restart the service. Hope this helps

Cheers

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Logging for X509 authentication flow

I'm trying to get keycloak working with Wildfly authenticating clients directly by X.509 and then using the authentication flow in keycloak to translate that to a local user.


Unfortunately, it's not working and I'm not getting useful logging out of keycloak to determine what's wrong with my configuration. To debug, I need to know that undertow is passing the certificate successfully to keycloak, that keycloak's X509-form authentication is receiving the proper identity, the identity extracted from the certificate for authentication comparison, what it's being compared to (is the CN or DN being regexed and is it being compared to the keycloak custom attribute that I specified). What I get from enabling debug logging that's not jboss modules loads is:

18:59:38,702 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST, clientId=https://urldefense.proofpoint.com/v2/url?u=https-3A__auth.test.local&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=JKoCFmC7JjhA420aR4_7iqrJFgBHONSmIdrdn-ewnS8&e=, userId=null, ipAddress=192.168.0.100, error=client_not_found


Can someone provide details on how to get debug logging for undertow and the X509-form-config authentication?


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com
raymond.c.page15.ctr at mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=rrCwreQSq0e6yYMFjtj-TtmQjmbO3J2cCs5azwk-cTs&e=

From mizuki0621 at gmail.com  Tue Mar 19 15:55:47 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Tue, 19 Mar 2019 15:55:47 -0400
Subject: [keycloak-user] Authentication failed:
	org.jvnet.libpam.PAMException
In-Reply-To: <CAKCDg-DCEVvyXTxz72RUwJzWeDAeC7QaXCpE5xVwvNewCqd+wg@mail.gmail.com>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
	<CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
	<CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>
	<CAKCDg-DCEVvyXTxz72RUwJzWeDAeC7QaXCpE5xVwvNewCqd+wg@mail.gmail.com>
Message-ID: <CAKCDg-BXDASCQyz6xFMZSVMiiRgYSaY=YMfdG8NxSpXYbgoDXw@mail.gmail.com>

Hi Bruno Et al,

If possible, please advise the next approach, to me it seems like a bug.

As a workaround, it is possible to enable OTP embedded with keycloak, we
the preferred way is to have QR code stored in the central database such as
IPA, so we can extend the features to other services ideaily (enabled OTP
on gateway for example).

Another question is, if it's possible to separate the Password & OTP for
users to type in instead of combining them in one input box.  SSH login
separates them as 'First Factor' and 'Second Factor' to allow you type in
separately which is nice. The OTP coming with Keyclak does the same
things,  Password and OTP are separate input boxes, ease to reduce the
possible mistakes. Especially when OTP is time based, it would be very much
a hassle for users to type in Password and OTP all at once in one box.

Please advice & thanks so much!
Mizuki

On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621 at gmail.com> wrote:

> See pamtester went successful with both cases (whether both OTP and
> password enabled or OTP only)
>
> Case 1: Both Password and OTP are enabled:
>
> *[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
> First Factor:
> Second Factor (optional):
> pamtester: successfully authenticated
>
> Case 2: Enabled OTP only:
> *[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
> First Factor:
> Second Factor:
> pamtester: successfully authenticated
>
> Note
> Thanks.
>
> On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> What is the output from pamtester?
>>
>> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
>>
>>> Thanks for the response, Bruno.
>>>
>>> I certainly went through the documents and examed configurations
>>> carefully. I attached KRB log from IPA server as well as /var/log/secure
>>> from Keycloak server as supporting evidences (high lighted with blue for
>>> important portions).
>>>
>>> In the case when both 'password' and 'otp' are enabled to the user in
>>> IPA, Keycloak failed to authenticate user with either the password or otp.
>>>
>>> [root at idm01 ~]# ipa user-show mmstestu
>>>   User login: mmstestu
>>>   First name: Test
>>>   Last name: 55555
>>>   Home directory: /u0b/mmstestu
>>>   Login shell: /bin/bash
>>>   Principal name: mmstestu at SDCC.BNL.GOV
>>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>>   Kerberos principal expiration: 20690301145828Z
>>>   Email address: smithj4 at example.com
>>>   UID: 7041
>>>   GID: 9965
>>>   SSH public key fingerprint:
>>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>>   User authentication types: otp, password
>>>   Account disabled: False
>>>   Password: True
>>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>>   Member of HBAC rule: mktst1
>>>   Kerberos keys available: True
>>>
>>> Krb log on IPA server shows following:
>>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
>>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
>>> pre-authentication required
>>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
>>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
>>> password in encrypted challenge
>>>
>>> /var/log/secure log on KeyCloak server:
>>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
>>> user=mmstestu
>>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> received for user mmstestu: 17 (Failure setting user credentials)
>>>
>>> In ../log/server.log on KeyCloak server:
>>> 2019-03-14 16:24:36,844 ERROR
>>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
>>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>> failed : Permission denied
>>>     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>>     at
>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>>     at
>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>>     at
>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>>     at
>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>>     at
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>>     at
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>>     at
>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>     at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>>>     at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>>     at java.lang.reflect.Method.invoke(Method.java:508)
>>>     at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>>     at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>>     at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>>     at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>     at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>     at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>     at
>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>>     at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>     at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>     at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>     at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>     at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>>     at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>     at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>>     at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>>     at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>>     at
>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>>     at java.lang.Thread.run(Thread.java:812)
>>>
>>> Then if I remove the 'password' option and leaves 'otp' only for the
>>> user, KeyCloak does actually authenticate fine (password + QRCode combined
>>> with no space): Following are logs when it successes:
>>>
>>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
>>> ------------------------
>>> Modified user "mmstestu"
>>> ------------------------
>>>   User login: mmstestu
>>>   First name: Test
>>>   Last name: 55555
>>>   Home directory: /u0b/mmstestu
>>>   Login shell: /bin/bash
>>>   Principal name: mmstestu at SDCC.BNL.GOV
>>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>>   Kerberos principal expiration: 20690301145828Z
>>>   Email address: smithj4 at example.com
>>>   UID: 7041
>>>   GID: 9965
>>>   SSH public key fingerprint:
>>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>>   User authentication types: otp
>>>   Account disabled: False
>>>   Password: True
>>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>>   Member of HBAC rule: mktst1
>>>   Kerberos keys available: True
>>>
>>> In KRB log on IPA server:
>>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>>> krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV
>>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
>>>
>>> In /var/log/secure on KeyCloak server:
>>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
>>> user=mmstestu
>>>
>>> Please advice.
>>> Thanks.
>>> Mizuki
>>>
>>>
>>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
>>> wrote:
>>>
>>>> Hi Mizuki,
>>>>
>>>> In the scenario you described Keycloak just relies on PAM to
>>>> authenticate the user.  What I'd do before configure Keycloak is to try
>>>> dbus-send and pamtester, just to make sure that my setup works.
>>>>
>>>> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
>>>> pamtester does not authenticate your user, there's a chance that
>>>> something is wrong with your setup. Certainly worth to review our
>>>> docs[1].
>>>>
>>>> [1] -
>>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>>>>
>>>> On 2019-03-05, mizuki wrote:
>>>> > Hi,
>>>> >
>>>> > We are currently evaluating keycloak as a possible authentication
>>>> mechanism
>>>> > deployed to our facility.
>>>> > We use kerberos for user authentication with FreeIPA and configured
>>>> sssd
>>>> > for user federation in keycloak (follow the official document both
>>>> from
>>>> > keycloak and freeipa.org)
>>>> > One of the requirement we desire is to enable kerboros password for
>>>> SSH
>>>> > login and enabled 'otp' for HTTP based applications.
>>>> >
>>>> > To do so,
>>>> > 1. We enabled both user-auth-types for the user:
>>>> > - password
>>>> > - password + otp
>>>> >
>>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
>>>> following
>>>> > services: (I purposely did not enable 'otp' at this point as I want to
>>>> > verify both 'password' and 'otp' shall work)
>>>> > - keycloak
>>>> > - sshd
>>>> >
>>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
>>>> PAM/SSSD,
>>>> > then I went ahead and accessed URL that is protected by keycloak,
>>>> > 'password' works but 'otp' won't, the following ERRORs were seen in
>>>> > keycloak's server.log:
>>>> > -----------
>>>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
>>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
>>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
>>>> > error=invalid_user_credentials, auth_method=openid-connect,
>>>> auth_type=code,
>>>> > redirect_uri=https://www.example.com/secure/
>>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
>>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
>>>> > 2019-03-04 17:01:43,033 ERROR
>>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
>>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>>> > failed : Permission denied
>>>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>>> >     at
>>>> >
>>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>>> >
>>>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>>>> >     at
>>>> >
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>>> >
>>>> >     at java.lang.reflect.Method.invoke(Method.java:508)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> >
>>>> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> >
>>>> >     at
>>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>>> >
>>>> >     at
>>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>>> >     at
>>>> >
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>>> >     at
>>>> >
>>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>>> >
>>>> >     at java.lang.Thread.run(Thread.java:812)
>>>> > ------------------
>>>> >
>>>> > Interesting thing is keycloak handles OTP just fine if I have
>>>> > 'password+otp' only checked on,  then we won't be able to log onto the
>>>> > machines via SSH using password, that defeats our purposes.
>>>> >
>>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
>>>> version
>>>> > (on REHL 7), all got the same results.
>>>> > I'm wondering if this is more likely a bug or I missed something.
>>>> > I'd appreciate if someone can advice what the approach is.
>>>> >
>>>> > Thank you very much.
>>>> >
>>>> > Mizuki
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> --
>>>>
>>>> abstractj
>>>>
>>>

From pnalyvayko at agi.com  Tue Mar 19 15:58:06 2019
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Tue, 19 Mar 2019 19:58:06 +0000
Subject: [keycloak-user] Logging for X509 authentication flow
In-Reply-To: <DM6PR06MB540301B19A2076A82B7ED2D0D5400@DM6PR06MB5403.namprd06.prod.outlook.com>
References: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>,
	<BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>
	<DM6PR06MB540301B19A2076A82B7ED2D0D5400@DM6PR06MB5403.namprd06.prod.outlook.com>
Message-ID: <BN6PR07MB3073F863F4653FDA05FB4359DA400@BN6PR07MB3073.namprd07.prod.outlook.com>

Raymond,
I assume you've followed the steps described in https://www.keycloak.org/docs/4.8/server_admin/,  "6.6. X.509 Client Certificate User Authentication"? Another suggestion is to double check your app OIDC configuration and make sure it is properly configured with a valid client id - the clientId in the error output looks suspicious.

My $0.02

From: Page, Raymond (Techical Solutions ) <Page_Raymond at ne.bah.com>
Sent: Tuesday, March 19, 2019 3:35 PM
To: Nalyvayko, Peter <pnalyvayko at agi.com>; keycloak-user at lists.jboss.org
Subject: Re: Logging for X509 authentication flow


I'm not sure if this makes a difference, but I have         <subsystem xmlns="urn:jboss:domain:logging:6.0"> not         <subsystem xmlns="urn:jboss:domain:logging:3.0">



I added the two new categories to the domain:logging:6.0, but I don't get any additional output. I'm speculating there might be an issue from undertow to keycloak, how do I log undertow?

________________________________
From: Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>>
Sent: Tuesday, March 19, 2019 1:40:37 PM
To: Page, Raymond (Techical Solutions ); keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [External] RE: Logging for X509 authentication flow

Hey Raymond,

Edit standalone.xml and add the following configuration under <subsystem xmlns="urn:jboss:domain:logging:3.0">:

<logger category="org.keycloak.authentication.authenticators.x509">
                <level name="TRACE"/>
   </logger>
      <logger category="org.keycloak.services.x509">
                <level name="TRACE"/>
      </logger>

You will have to restart the service. Hope this helps

Cheers

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Logging for X509 authentication flow

I'm trying to get keycloak working with Wildfly authenticating clients directly by X.509 and then using the authentication flow in keycloak to translate that to a local user.


Unfortunately, it's not working and I'm not getting useful logging out of keycloak to determine what's wrong with my configuration. To debug, I need to know that undertow is passing the certificate successfully to keycloak, that keycloak's X509-form authentication is receiving the proper identity, the identity extracted from the certificate for authentication comparison, what it's being compared to (is the CN or DN being regexed and is it being compared to the keycloak custom attribute that I specified). What I get from enabling debug logging that's not jboss modules loads is:

18:59:38,702 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST, clientId=https://urldefense.proofpoint.com/v2/url?u=https-3A__auth.test.local&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=JKoCFmC7JjhA420aR4_7iqrJFgBHONSmIdrdn-ewnS8&e=, userId=null, ipAddress=192.168.0.100, error=client_not_found


Can someone provide details on how to get debug logging for undertow and the X509-form-config authentication?


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com<mailto:page_raymond at ne.bah.com>
raymond.c.page15.ctr at mail.mil<mailto:raymond.c.page15.ctr at mail.mil>
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=rrCwreQSq0e6yYMFjtj-TtmQjmbO3J2cCs5azwk-cTs&e=

From andrewm659 at yahoo.com  Tue Mar 19 16:43:38 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Tue, 19 Mar 2019 20:43:38 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
Message-ID: <1643686692.8175694.1553028218614@mail.yahoo.com>

Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
$ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api --resources=/root/mysql-connector-java-5.1.47.jar

Add the Database driver to the configuration.
MySQL/MariaDB# sudo su -
Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'

Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
MySQL/MariaDB
# sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'

From abhijeet.p.deshpande at gmail.com  Tue Mar 19 17:08:47 2019
From: abhijeet.p.deshpande at gmail.com (Abhijeet Deshpande)
Date: Tue, 19 Mar 2019 17:08:47 -0400
Subject: [keycloak-user] Keycloak server migration backward compatibility
Message-ID: <CAOKqsXFjm0957X4MFSRSYC_wNxsOSB_qQbSzAi1+-3+d+kySkg@mail.gmail.com>

Hi,



I?m migrating keycloak version from 2.2.1.Final to Keycloak 4.4.0.Final,
with an option for backward compatibility. i.e. a bearer token generated by
UI application on Keycloak 2.2.1.Final, can be authenticated by Service on
Keycloak 4.4.0.Final keycloak version



Our application has Angular-UI (ssoadmin-ui) & SpringBoot-Services
(ssoadmin-service).



For my migration POC:

   1. Installed Keycloak 4.4.0.Final version on my local, registered both
   above mentioned clients  in new Keycloak version.
   2. Modified the key  /src/config/keycloak.json file with latest keycloak
   settings, below is the keycloak.json

{

    "realm": "Demo",

    "auth-server-url": "http://localhost:8080/auth",

    "ssl-required": "external",

    "resource": "ssoadmin-ui",

    "public-client": true,

    "use-resource-role-mappings": true,

    "confidential-port": 0

  }

   1. With these setting in Angular I?m making call to my service. Service
   is running on localhost:8082
   2. My service still points to old keycloak instance (KeyCloak
   2.2.1.Final)

Below are application.properties in service for keycloak.



####### Keycloak

keycloak.realm=DEV_Ext

keycloak.auth-server-url=https://kc-lower.****.com/auth

keycloak.ssl-required=external

keycloak.resource=ssoadmin-service



this fails with below exceptions:

o.k.a.BearerTokenRequestAuthenticator - Failed to verify token
org.keycloak.common.VerificationException: Invalid token signature



Is this the right approach ? and whether this is achievable ?

For my application to have one client authenticating with 2.2.1Final
version and another client to get this token validated against 4.4.0.Final
version.



Any pointers will be much appreciated. Please let me know if any
clarifications/additional information needed. Also, if I make both of them
in same version on keycloak the authentication works.





Thanks

Abhijeet

From katarzyna.sycz at eventival.com  Wed Mar 20 05:52:15 2019
From: katarzyna.sycz at eventival.com (Katarzyna Sycz)
Date: Wed, 20 Mar 2019 10:52:15 +0100
Subject: [keycloak-user] KEYCLOAK-9790 and KEYCLOAK-9789
Message-ID: <CALyW5T0cp+iYLkscW5sq1RDSPv+mrvHxKK1HUKVJ+EvQv7oCFQ@mail.gmail.com>

Hello,

We started using the Keycloak lately and we want to implement and adjust it
for our clients. However, we found two issues and I would like to ask you
for an answer. Unfortunately, I was not able to find a solution or
information in the docs.

Issues:
https://issues.jboss.org/browse/KEYCLOAK-9790
https://issues.jboss.org/browse/KEYCLOAK-9789

Kind regards,
Katarzyna Sycz
-- 
[image: Eventival logo] <https://www.eventival.com/>
*Katarzyna Sycz*
Junior Software Developer
katarzyna.sycz at eventival.com
+420  <+420608632508>773 978 859
www.eventival.com

From psilva at redhat.com  Wed Mar 20 08:11:02 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 09:11:02 -0300
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
Message-ID: <CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>

Hi,

Are you using a broker to authenticate your users ? Your setup is not clear
if that is the case, so I'm not sure if the method you pointed out is
related.

Can you confirm that this scenario was working before?

By losing roles, you mean they are not within the access token?

Regards.
Pedro Igor



On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
wrote:

> Hi,
>
> This is our Keycloak setup:
>
>    - Keycloak docker container 4.4.0.Final
>    - Azure Active Directory (mapping groups to roles)
>    - Keycloak client protocol: openid-connect
>    - 3 optional client scopes
>
>
> We noticed lately that users using the front-end application (angular) are
> losing all roles after the SSO idle session expires.
> This behaviour is also seen in the 4.8.3.Final version.
> It seems that the Identity Provider Mappers are not triggered for some
> reason and I can't dig any deeper nothing much is logged in the method
> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>
> Any ideas?
> How can I run Keycloak form source?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From fnberta at gmail.com  Wed Mar 20 08:33:15 2019
From: fnberta at gmail.com (Fabio Berta)
Date: Wed, 20 Mar 2019 13:33:15 +0100
Subject: [keycloak-user] Authorisation services: resource server managing
	permissions
Message-ID: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>

Hi

I have a couple of questions regarding Keycloak's authorisation services.
Premiss:
- I don't really need the whole user managed permissions and permission
sharing features that UMA gives. All permissions are given by admin users.
- My resource server is a NodeJS application, hence I cannot use the
pre-made Java adapters
- I'm not sending RPT tokens to public clients at the moment, the resource
server checks permissions by making a request to Keycloak

Let's assume I want to protect the entity "Config". I need to restrict
create/delete/update rights for all configs and read rights for every
single instance of config. To achieve that, I created the the scopes
"config:read", "config:create", "config:delete" and "config:update". I
created the resource "config" and attached the scopes "config:create",
"config:delete" and "config:update". Because only users with the realm role
"admin" should be able to create/update/delete, I created a role based
policy specifying the "admin" role and connected it with the resource
"config" and the scopes "config:create", "config:delete" and
"config:update" in a scope-based permission.  So far everything is pretty
straightforward and works well.

Where it's get more complicated is the read rights for individual configs.
What I have in mind is an interface where admins can create configs and
manage permissions for them without going through the keycloak admin
console. Whenever an admin creates a new config, the resource server
creates a corresponding resource (e.g. config/configId) and stores the id
of the resource next to the config. I can do that with Protection API
(authz/protection/resource_set).

What I have not yet figured out is how the resource server can set
permissions at this point. Let's assume the admin has specified two users
that should be able to access the new config. The resource server should
create a new user based policy containing the two users and connect it with
the "config/configId" resource and the scope "config:read" in a scope-based
permission. From the documentation it looks like the Policy API might be
able to handle this. But two things confuse me:
- It says "This API is protected by a bearer token that must represent a
consent granted by the user to the resource server to manage permissions on
his behalf". I don't need to manage on the users behalf, the resource is
owned by the resource server and the created permission would also be owned
by the resource server.
- The examples for the API somehow combine policies and permissions into
one?
I tried to use this API with a token obtained via the client credentials
grant but it failed to create permissions (empty response and nothing got
created).

I see that the Java Admin Client has the ability to manage permissions but
I can't find documentation on the REST endpoints it uses. (
https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't contain
anything authz related). Would the Admin API be the thing to use here or
can I do this with the Policy API? Or maybe my approach is fundamentally
flawed and I should approach this from another angle?

This message got way to long but I hope I was able to make my questions
clear. Grateful for any help I can get!

Best regards,
Fabio Berta

From l.lech at ringler.ch  Wed Mar 20 09:03:57 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 20 Mar 2019 13:03:57 +0000
Subject: [keycloak-user] KEYCLOAK-9790 and KEYCLOAK-9789
In-Reply-To: <CALyW5T0cp+iYLkscW5sq1RDSPv+mrvHxKK1HUKVJ+EvQv7oCFQ@mail.gmail.com>
References: <CALyW5T0cp+iYLkscW5sq1RDSPv+mrvHxKK1HUKVJ+EvQv7oCFQ@mail.gmail.com>
Message-ID: <5E48B917000C984B86B77170F441903A189734BD@exch.ringler.ch>

Hello,

Creating spam app is quite trivial, so my concern in that issue is more a malicious attack that is aimed on blacklisting an application using Kecloak.

This can be achieved by subsequent registration with random emails within the same domain (for example, gmail.com). 

I'd like to extend that question, is Keycloak generally prepared to detect such suspicious activity and block anormal traffic, especially flowing from one origin?

Btw. The default mail messages seem to be very 'spam friendly' , they get caught by spam filters in short time.

Best regards,
Lukasz Lech


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Katarzyna Sycz
Sent: Mittwoch, 20. M?rz 2019 10:52
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] KEYCLOAK-9790 and KEYCLOAK-9789

Hello,

We started using the Keycloak lately and we want to implement and adjust it for our clients. However, we found two issues and I would like to ask you for an answer. Unfortunately, I was not able to find a solution or information in the docs.

Issues:
https://issues.jboss.org/browse/KEYCLOAK-9790
https://issues.jboss.org/browse/KEYCLOAK-9789

Kind regards,
Katarzyna Sycz
--
[image: Eventival logo] <https://www.eventival.com/> *Katarzyna Sycz* Junior Software Developer katarzyna.sycz at eventival.com
+420  <+420608632508>773 978 859
www.eventival.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Wed Mar 20 09:05:28 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 10:05:28 -0300
Subject: [keycloak-user] Authorisation services: resource server
	managing permissions
In-Reply-To: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
References: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
Message-ID: <CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>

On Wed, Mar 20, 2019 at 9:36 AM Fabio Berta <fnberta at gmail.com> wrote:

> Hi
>
> I have a couple of questions regarding Keycloak's authorisation services.
> Premiss:
> - I don't really need the whole user managed permissions and permission
> sharing features that UMA gives. All permissions are given by admin users.
> - My resource server is a NodeJS application, hence I cannot use the
> pre-made Java adapters
>

Did you had a change to look the node-js-adapter [1] ?

[1]
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L156


> - I'm not sending RPT tokens to public clients at the moment, the resource
> server checks permissions by making a request to Keycloak
>
> Let's assume I want to protect the entity "Config". I need to restrict
> create/delete/update rights for all configs and read rights for every
> single instance of config. To achieve that, I created the the scopes
> "config:read", "config:create", "config:delete" and "config:update". I
> created the resource "config" and attached the scopes "config:create",
> "config:delete" and "config:update". Because only users with the realm role
> "admin" should be able to create/update/delete, I created a role based
> policy specifying the "admin" role and connected it with the resource
> "config" and the scopes "config:create", "config:delete" and
> "config:update" in a scope-based permission.  So far everything is pretty
> straightforward and works well.
>
> Where it's get more complicated is the read rights for individual configs.
> What I have in mind is an interface where admins can create configs and
> manage permissions for them without going through the keycloak admin
> console. Whenever an admin creates a new config, the resource server
> creates a corresponding resource (e.g. config/configId) and stores the id
> of the resource next to the config. I can do that with Protection API
> (authz/protection/resource_set).
>

Another approach to this problem would be to push claims to your policies
so you could avoid creating resources for every single config.

For the Java-based adapter we have the concept of Claim Information Points
[1], which basically defines a repository from where the adapter should
obtain additional claims in order to push these claims to the server along
with an authorization request. You can also look here [2] for more details
about how to send these same claims directly to the token endpoint.

With this approach, you would have a single "Config" resource and specific
permissions for both write (create/delete/update) and read operations. For
admin, you are fine as you just need a role-policy to check if a user is
granted with the admin role. But for read, you could write a JS-policy [3]
that matches the subject making the request with a specific claim that your
resource server is pushing to the server, where this claim would contain
the user ids or names, for instance. In a nutshell, you are basically
making your policy model more flexible so the resource server is in charge
to actually pass which users are allowed to access. The good side of this
is that it avoids you create resources in Keycloak. The bad side is that
your resource server is responsible to push this information, but maybe
this is something you already have in the RS.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
[2]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims


> What I have not yet figured out is how the resource server can set
> permissions at this point. Let's assume the admin has specified two users
> that should be able to access the new config. The resource server should
> create a new user based policy containing the two users and connect it with
> the "config/configId" resource and the scope "config:read" in a scope-based
> permission. From the documentation it looks like the Policy API might be
> able to handle this. But two things confuse me:
> - It says "This API is protected by a bearer token that must represent a
> consent granted by the user to the resource server to manage permissions on
> his behalf". I don't need to manage on the users behalf, the resource is
> owned by the resource server and the created permission would also be owned
> by the resource server.
> - The examples for the API somehow combine policies and permissions into
> one?
> I tried to use this API with a token obtained via the client credentials
> grant but it failed to create permissions (empty response and nothing got
> created).
>
> I see that the Java Admin Client has the ability to manage permissions but
> I can't find documentation on the REST endpoints it uses. (
> https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't contain
> anything authz related). Would the Admin API be the thing to use here or
> can I do this with the Policy API? Or maybe my approach is fundamentally
> flawed and I should approach this from another angle?
>

The Policy API is really for UMA protected resources. It is not an option
in your case.

To achieve your goal, you would need the Admin API. We don't have it
documented because it is mainly used by our administration console. For
now, you could just capture the requests that the admin console is
performing to manage permissions and policies. The API provides a specific
endpoint for each policy/permission type as well a specific payload.


>
> This message got way to long but I hope I was able to make my questions
> clear. Grateful for any help I can get!
>
> Best regards,
> Fabio Berta
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Mar 20 09:08:29 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 10:08:29 -0300
Subject: [keycloak-user] Authorisation services: resource server
	managing permissions
In-Reply-To: <CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>
References: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
	<CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>
Message-ID: <CAJrcDBeMN3mvRYdikHVG4o_gjjfbs4fojZ+UrWd07v+J4+Ev-A@mail.gmail.com>

Correction ... You can also push claims using node-js-adapter
https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L172
.

On Wed, Mar 20, 2019 at 10:05 AM Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Wed, Mar 20, 2019 at 9:36 AM Fabio Berta <fnberta at gmail.com> wrote:
>
>> Hi
>>
>> I have a couple of questions regarding Keycloak's authorisation services.
>> Premiss:
>> - I don't really need the whole user managed permissions and permission
>> sharing features that UMA gives. All permissions are given by admin users.
>> - My resource server is a NodeJS application, hence I cannot use the
>> pre-made Java adapters
>>
>
> Did you had a change to look the node-js-adapter [1] ?
>
> [1]
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L156
>
>
>> - I'm not sending RPT tokens to public clients at the moment, the resource
>> server checks permissions by making a request to Keycloak
>>
>> Let's assume I want to protect the entity "Config". I need to restrict
>> create/delete/update rights for all configs and read rights for every
>> single instance of config. To achieve that, I created the the scopes
>> "config:read", "config:create", "config:delete" and "config:update". I
>> created the resource "config" and attached the scopes "config:create",
>> "config:delete" and "config:update". Because only users with the realm
>> role
>> "admin" should be able to create/update/delete, I created a role based
>> policy specifying the "admin" role and connected it with the resource
>> "config" and the scopes "config:create", "config:delete" and
>> "config:update" in a scope-based permission.  So far everything is pretty
>> straightforward and works well.
>>
>> Where it's get more complicated is the read rights for individual configs.
>> What I have in mind is an interface where admins can create configs and
>> manage permissions for them without going through the keycloak admin
>> console. Whenever an admin creates a new config, the resource server
>> creates a corresponding resource (e.g. config/configId) and stores the id
>> of the resource next to the config. I can do that with Protection API
>> (authz/protection/resource_set).
>>
>
> Another approach to this problem would be to push claims to your policies
> so you could avoid creating resources for every single config.
>
> For the Java-based adapter we have the concept of Claim Information Points
> [1], which basically defines a repository from where the adapter should
> obtain additional claims in order to push these claims to the server along
> with an authorization request. You can also look here [2] for more details
> about how to send these same claims directly to the token endpoint.
>
> With this approach, you would have a single "Config" resource and specific
> permissions for both write (create/delete/update) and read operations. For
> admin, you are fine as you just need a role-policy to check if a user is
> granted with the admin role. But for read, you could write a JS-policy [3]
> that matches the subject making the request with a specific claim that your
> resource server is pushing to the server, where this claim would contain
> the user ids or names, for instance. In a nutshell, you are basically
> making your policy model more flexible so the resource server is in charge
> to actually pass which users are allowed to access. The good side of this
> is that it avoids you create resources in Keycloak. The bad side is that
> your resource server is responsible to push this information, but maybe
> this is something you already have in the RS.
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
> [2]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims
>
>
>> What I have not yet figured out is how the resource server can set
>> permissions at this point. Let's assume the admin has specified two users
>> that should be able to access the new config. The resource server should
>> create a new user based policy containing the two users and connect it
>> with
>> the "config/configId" resource and the scope "config:read" in a
>> scope-based
>> permission. From the documentation it looks like the Policy API might be
>> able to handle this. But two things confuse me:
>> - It says "This API is protected by a bearer token that must represent a
>> consent granted by the user to the resource server to manage permissions
>> on
>> his behalf". I don't need to manage on the users behalf, the resource is
>> owned by the resource server and the created permission would also be
>> owned
>> by the resource server.
>> - The examples for the API somehow combine policies and permissions into
>> one?
>> I tried to use this API with a token obtained via the client credentials
>> grant but it failed to create permissions (empty response and nothing got
>> created).
>>
>> I see that the Java Admin Client has the ability to manage permissions but
>> I can't find documentation on the REST endpoints it uses. (
>> https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't contain
>> anything authz related). Would the Admin API be the thing to use here or
>> can I do this with the Policy API? Or maybe my approach is fundamentally
>> flawed and I should approach this from another angle?
>>
>
> The Policy API is really for UMA protected resources. It is not an option
> in your case.
>
> To achieve your goal, you would need the Admin API. We don't have it
> documented because it is mainly used by our administration console. For
> now, you could just capture the requests that the admin console is
> performing to manage permissions and policies. The API provides a specific
> endpoint for each policy/permission type as well a specific payload.
>
>
>>
>> This message got way to long but I hope I was able to make my questions
>> clear. Grateful for any help I can get!
>>
>> Best regards,
>> Fabio Berta
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From bruno at abstractj.org  Wed Mar 20 09:52:10 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 20 Mar 2019 10:52:10 -0300
Subject: [keycloak-user] Authentication failed:
 org.jvnet.libpam.PAMException
In-Reply-To: <CAKCDg-BXDASCQyz6xFMZSVMiiRgYSaY=YMfdG8NxSpXYbgoDXw@mail.gmail.com>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
	<CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
	<CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>
	<CAKCDg-DCEVvyXTxz72RUwJzWeDAeC7QaXCpE5xVwvNewCqd+wg@mail.gmail.com>
	<CAKCDg-BXDASCQyz6xFMZSVMiiRgYSaY=YMfdG8NxSpXYbgoDXw@mail.gmail.com>
Message-ID: <20190320135210.GA1572@abstractj.org>

Hi Mizuki, I'm afraid to say that's not a bug. Some answers inline.

On 2019-03-19, mizuki wrote:
> Hi Bruno Et al,
> 
> If possible, please advise the next approach, to me it seems like a bug.
> 
> As a workaround, it is possible to enable OTP embedded with keycloak, we
> the preferred way is to have QR code stored in the central database such as
> IPA, so we can extend the features to other services ideaily (enabled OTP
> on gateway for example).

The only way to enable OTP using IPA + Keycloak is to scan the QR code on
IPA server and later use it with password + OTP in the Keycloak form. 

> 
> Another question is, if it's possible to separate the Password & OTP for
> users to type in instead of combining them in one input box.  SSH login
> separates them as 'First Factor' and 'Second Factor' to allow you type in
> separately which is nice. The OTP coming with Keyclak does the same
> things,  Password and OTP are separate input boxes, ease to reduce the
> possible mistakes. Especially when OTP is time based, it would be very much
> a hassle for users to type in Password and OTP all at once in one box.

That's not supported at the moment. Our team is unable to fit this suggestion into our current workload and priorities, but we would gladly review any PR submitted with tests and documentation.

> 
> Please advice & thanks so much!
> Mizuki
> 
> On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621 at gmail.com> wrote:
> 
> > See pamtester went successful with both cases (whether both OTP and
> > password enabled or OTP only)
> >
> > Case 1: Both Password and OTP are enabled:
> >
> > *[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
> > First Factor:
> > Second Factor (optional):
> > pamtester: successfully authenticated
> >
> > Case 2: Enabled OTP only:
> > *[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
> > First Factor:
> > Second Factor:
> > pamtester: successfully authenticated
> >
> > Note
> > Thanks.
> >
> > On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org>
> > wrote:
> >
> >> What is the output from pamtester?
> >>
> >> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
> >>
> >>> Thanks for the response, Bruno.
> >>>
> >>> I certainly went through the documents and examed configurations
> >>> carefully. I attached KRB log from IPA server as well as /var/log/secure
> >>> from Keycloak server as supporting evidences (high lighted with blue for
> >>> important portions).
> >>>
> >>> In the case when both 'password' and 'otp' are enabled to the user in
> >>> IPA, Keycloak failed to authenticate user with either the password or otp.
> >>>
> >>> [root at idm01 ~]# ipa user-show mmstestu
> >>>   User login: mmstestu
> >>>   First name: Test
> >>>   Last name: 55555
> >>>   Home directory: /u0b/mmstestu
> >>>   Login shell: /bin/bash
> >>>   Principal name: mmstestu at SDCC.BNL.GOV
> >>>   Principal alias: mmstestu at SDCC.BNL.GOV
> >>>   Kerberos principal expiration: 20690301145828Z
> >>>   Email address: smithj4 at example.com
> >>>   UID: 7041
> >>>   GID: 9965
> >>>   SSH public key fingerprint:
> >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> >>>   User authentication types: otp, password
> >>>   Account disabled: False
> >>>   Password: True
> >>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> >>>   Member of HBAC rule: mktst1
> >>>   Kerberos keys available: True
> >>>
> >>> Krb log on IPA server shows following:
> >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
> >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
> >>> pre-authentication required
> >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
> >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
> >>> password in encrypted challenge
> >>>
> >>> /var/log/secure log on KeyCloak server:
> >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> >>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
> >>> user=mmstestu
> >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> >>> received for user mmstestu: 17 (Failure setting user credentials)
> >>>
> >>> In ../log/server.log on KeyCloak server:
> >>> 2019-03-14 16:24:36,844 ERROR
> >>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
> >>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> >>> failed : Permission denied
> >>>     at org.jvnet.libpam.PAM.check(PAM.java:113)
> >>>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> >>>     at
> >>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> >>>     at
> >>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> >>>     at
> >>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> >>>     at
> >>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> >>>     at
> >>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> >>>     at
> >>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> >>>     at
> >>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> >>>     at
> >>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> >>>     at
> >>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> >>>     at
> >>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> >>>     at
> >>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> >>>     at
> >>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> >>>     at
> >>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> >>>     at
> >>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> >>>     at
> >>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> >>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>>     at
> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
> >>>     at
> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> >>>     at java.lang.reflect.Method.invoke(Method.java:508)
> >>>     at
> >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
> >>> Source)
> >>>     at
> >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> >>>     at
> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
> >>> Source)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
> >>> Source)
> >>>     at
> >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> >>>     at
> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> >>>     at
> >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> >>>     at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >>>     at
> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> >>>     at
> >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >>>     at
> >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> >>>     at
> >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> >>>     at
> >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >>>     at
> >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> >>>     at
> >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >>>     at
> >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >>>     at
> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>     at
> >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> >>>     at
> >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >>>     at
> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>     at
> >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >>>     at
> >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >>>     at
> >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >>>     at
> >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >>>     at
> >>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >>>     at
> >>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >>>     at
> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>     at
> >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >>>     at
> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> >>>     at
> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> >>>     at
> >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> >>>     at
> >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >>>     at
> >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >>>     at
> >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
> >>> Source)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> >>> Source)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> >>> Source)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> >>> Source)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>     at
> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> >>> Source)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >>>     at
> >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> >>>     at
> >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> >>>     at
> >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> >>>     at
> >>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> >>>     at
> >>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> >>>     at
> >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> >>>     at
> >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> >>>     at java.lang.Thread.run(Thread.java:812)
> >>>
> >>> Then if I remove the 'password' option and leaves 'otp' only for the
> >>> user, KeyCloak does actually authenticate fine (password + QRCode combined
> >>> with no space): Following are logs when it successes:
> >>>
> >>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
> >>> ------------------------
> >>> Modified user "mmstestu"
> >>> ------------------------
> >>>   User login: mmstestu
> >>>   First name: Test
> >>>   Last name: 55555
> >>>   Home directory: /u0b/mmstestu
> >>>   Login shell: /bin/bash
> >>>   Principal name: mmstestu at SDCC.BNL.GOV
> >>>   Principal alias: mmstestu at SDCC.BNL.GOV
> >>>   Kerberos principal expiration: 20690301145828Z
> >>>   Email address: smithj4 at example.com
> >>>   UID: 7041
> >>>   GID: 9965
> >>>   SSH public key fingerprint:
> >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> >>>   User authentication types: otp
> >>>   Account disabled: False
> >>>   Password: True
> >>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> >>>   Member of HBAC rule: mktst1
> >>>   Kerberos keys available: True
> >>>
> >>> In KRB log on IPA server:
> >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8
> >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> >>> krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV
> >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
> >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> >>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
> >>>
> >>> In /var/log/secure on KeyCloak server:
> >>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
> >>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
> >>> user=mmstestu
> >>>
> >>> Please advice.
> >>> Thanks.
> >>> Mizuki
> >>>
> >>>
> >>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
> >>> wrote:
> >>>
> >>>> Hi Mizuki,
> >>>>
> >>>> In the scenario you described Keycloak just relies on PAM to
> >>>> authenticate the user.  What I'd do before configure Keycloak is to try
> >>>> dbus-send and pamtester, just to make sure that my setup works.
> >>>>
> >>>> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
> >>>> pamtester does not authenticate your user, there's a chance that
> >>>> something is wrong with your setup. Certainly worth to review our
> >>>> docs[1].
> >>>>
> >>>> [1] -
> >>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
> >>>>
> >>>> On 2019-03-05, mizuki wrote:
> >>>> > Hi,
> >>>> >
> >>>> > We are currently evaluating keycloak as a possible authentication
> >>>> mechanism
> >>>> > deployed to our facility.
> >>>> > We use kerberos for user authentication with FreeIPA and configured
> >>>> sssd
> >>>> > for user federation in keycloak (follow the official document both
> >>>> from
> >>>> > keycloak and freeipa.org)
> >>>> > One of the requirement we desire is to enable kerboros password for
> >>>> SSH
> >>>> > login and enabled 'otp' for HTTP based applications.
> >>>> >
> >>>> > To do so,
> >>>> > 1. We enabled both user-auth-types for the user:
> >>>> > - password
> >>>> > - password + otp
> >>>> >
> >>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
> >>>> following
> >>>> > services: (I purposely did not enable 'otp' at this point as I want to
> >>>> > verify both 'password' and 'otp' shall work)
> >>>> > - keycloak
> >>>> > - sshd
> >>>> >
> >>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
> >>>> PAM/SSSD,
> >>>> > then I went ahead and accessed URL that is protected by keycloak,
> >>>> > 'password' works but 'otp' won't, the following ERRORs were seen in
> >>>> > keycloak's server.log:
> >>>> > -----------
> >>>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
> >>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> >>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
> >>>> > error=invalid_user_credentials, auth_method=openid-connect,
> >>>> auth_type=code,
> >>>> > redirect_uri=https://www.example.com/secure/
> >>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
> >>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> >>>> > 2019-03-04 17:01:43,033 ERROR
> >>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
> >>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
> >>>> > failed : Permission denied
> >>>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
> >>>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> >>>> >     at
> >>>> >
> >>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> >>>> >
> >>>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
> >>>> >     at
> >>>> >
> >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> >>>> >
> >>>> >     at java.lang.reflect.Method.invoke(Method.java:508)
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >>>> >
> >>>> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> >>>> >
> >>>> >     at
> >>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> >>>> > Source)
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> >>>> >
> >>>> >     at
> >>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> >>>> >     at
> >>>> >
> >>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> >>>> >     at
> >>>> >
> >>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> >>>> >
> >>>> >     at
> >>>> >
> >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> >>>> >
> >>>> >     at java.lang.Thread.run(Thread.java:812)
> >>>> > ------------------
> >>>> >
> >>>> > Interesting thing is keycloak handles OTP just fine if I have
> >>>> > 'password+otp' only checked on,  then we won't be able to log onto the
> >>>> > machines via SSH using password, that defeats our purposes.
> >>>> >
> >>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
> >>>> version
> >>>> > (on REHL 7), all got the same results.
> >>>> > I'm wondering if this is more likely a bug or I missed something.
> >>>> > I'd appreciate if someone can advice what the approach is.
> >>>> >
> >>>> > Thank you very much.
> >>>> >
> >>>> > Mizuki
> >>>> > _______________________________________________
> >>>> > keycloak-user mailing list
> >>>> > keycloak-user at lists.jboss.org
> >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>
> >>>> --
> >>>>
> >>>> abstractj
> >>>>
> >>>

-- 

abstractj

From fnberta at gmail.com  Wed Mar 20 09:53:51 2019
From: fnberta at gmail.com (Fabio Berta)
Date: Wed, 20 Mar 2019 14:53:51 +0100
Subject: [keycloak-user] Authorisation services: resource server
	managing permissions
In-Reply-To: <CAJrcDBeMN3mvRYdikHVG4o_gjjfbs4fojZ+UrWd07v+J4+Ev-A@mail.gmail.com>
References: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
	<CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>
	<CAJrcDBeMN3mvRYdikHVG4o_gjjfbs4fojZ+UrWd07v+J4+Ev-A@mail.gmail.com>
Message-ID: <CAPqQPyoh1x1nzsf0AsM+pnLydn4UYE18ekJbf2Bv65moJZd1rw@mail.gmail.com>

Hi Pedro,

Thank you very much for quick answer, very helpful!

Pedro Igor Silva <psilva at redhat.com> schrieb am Mi., 20. M?rz 2019 um
14:08 Uhr:

> Correction ... You can also push claims using node-js-adapter
> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L172
> .
>
> On Wed, Mar 20, 2019 at 10:05 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Wed, Mar 20, 2019 at 9:36 AM Fabio Berta <fnberta at gmail.com> wrote:
>>
>>> Hi
>>>
>>> I have a couple of questions regarding Keycloak's authorisation services.
>>> Premiss:
>>> - I don't really need the whole user managed permissions and permission
>>> sharing features that UMA gives. All permissions are given by admin
>>> users.
>>> - My resource server is a NodeJS application, hence I cannot use the
>>> pre-made Java adapters
>>>
>>
>> Did you had a change to look the node-js-adapter [1] ?
>>
>
Yes, thanks! We actually used the node-js-adapter for inspiration in a lot
of cases when building our own custom adapter (which only supports a small
subset of the node-js-adapter and also does other things).


>
>> [1]
>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L156
>>
>>
>>> - I'm not sending RPT tokens to public clients at the moment, the
>>> resource
>>> server checks permissions by making a request to Keycloak
>>>
>>> Let's assume I want to protect the entity "Config". I need to restrict
>>> create/delete/update rights for all configs and read rights for every
>>> single instance of config. To achieve that, I created the the scopes
>>> "config:read", "config:create", "config:delete" and "config:update". I
>>> created the resource "config" and attached the scopes "config:create",
>>> "config:delete" and "config:update". Because only users with the realm
>>> role
>>> "admin" should be able to create/update/delete, I created a role based
>>> policy specifying the "admin" role and connected it with the resource
>>> "config" and the scopes "config:create", "config:delete" and
>>> "config:update" in a scope-based permission.  So far everything is pretty
>>> straightforward and works well.
>>>
>>> Where it's get more complicated is the read rights for individual
>>> configs.
>>> What I have in mind is an interface where admins can create configs and
>>> manage permissions for them without going through the keycloak admin
>>> console. Whenever an admin creates a new config, the resource server
>>> creates a corresponding resource (e.g. config/configId) and stores the id
>>> of the resource next to the config. I can do that with Protection API
>>> (authz/protection/resource_set).
>>>
>>
>> Another approach to this problem would be to push claims to your policies
>> so you could avoid creating resources for every single config.
>>
>> For the Java-based adapter we have the concept of Claim Information
>> Points [1], which basically defines a repository from where the adapter
>> should obtain additional claims in order to push these claims to the server
>> along with an authorization request. You can also look here [2] for more
>> details about how to send these same claims directly to the token endpoint.
>>
>> With this approach, you would have a single "Config" resource and
>> specific permissions for both write (create/delete/update) and read
>> operations. For admin, you are fine as you just need a role-policy to check
>> if a user is granted with the admin role. But for read, you could write a
>> JS-policy [3] that matches the subject making the request with a specific
>> claim that your resource server is pushing to the server, where this claim
>> would contain the user ids or names, for instance. In a nutshell, you are
>> basically making your policy model more flexible so the resource server is
>> in charge to actually pass which users are allowed to access. The good side
>> of this is that it avoids you create resources in Keycloak. The bad side is
>> that your resource server is responsible to push this information, but
>> maybe this is something you already have in the RS.
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>> [2]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims
>>
>>
Interesting, so this would mean that my resource server would need to keep
track of which users have access to wich config. My fear would be that this
logic could get complex quite fast when it has to track a mixture of groups
and users permissions (I would basically be re-implementing the different
policies keycloak offers I guess? Although currently only user and group
are relevant for us.). We also have multiple resource servers which all
talk to the same keycloak instance. If the resource server needs to keep
track of all permissions, I would need to have this logic in every resource
server. The beauty of having the resources in keycloak would be that the
resource servers would only need to store the resourceId for every config
(or any other entity) and nothing else. Or am I missing something?

Follow-up question would be, is creating resources for every single config
a bad thing and would you in general advise against it? I assume the list
of resources would get very big over time but I don't know if that's a
problem? I guess it could be when I need to query keycloak for all
resources a user has access to in order to list them. If this is list is
huge, this could get costly at some point.


>
>>> What I have not yet figured out is how the resource server can set
>>> permissions at this point. Let's assume the admin has specified two users
>>> that should be able to access the new config. The resource server should
>>> create a new user based policy containing the two users and connect it
>>> with
>>> the "config/configId" resource and the scope "config:read" in a
>>> scope-based
>>> permission. From the documentation it looks like the Policy API might be
>>> able to handle this. But two things confuse me:
>>> - It says "This API is protected by a bearer token that must represent a
>>> consent granted by the user to the resource server to manage permissions
>>> on
>>> his behalf". I don't need to manage on the users behalf, the resource is
>>> owned by the resource server and the created permission would also be
>>> owned
>>> by the resource server.
>>> - The examples for the API somehow combine policies and permissions into
>>> one?
>>> I tried to use this API with a token obtained via the client credentials
>>> grant but it failed to create permissions (empty response and nothing got
>>> created).
>>>
>>> I see that the Java Admin Client has the ability to manage permissions
>>> but
>>> I can't find documentation on the REST endpoints it uses. (
>>> https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't
>>> contain
>>> anything authz related). Would the Admin API be the thing to use here or
>>> can I do this with the Policy API? Or maybe my approach is fundamentally
>>> flawed and I should approach this from another angle?
>>>
>>
>> The Policy API is really for UMA protected resources. It is not an option
>> in your case.
>>
>> To achieve your goal, you would need the Admin API. We don't have it
>> documented because it is mainly used by our administration console. For
>> now, you could just capture the requests that the admin console is
>> performing to manage permissions and policies. The API provides a specific
>> endpoint for each policy/permission type as well a specific payload.
>>
>
I see, thanks! A related question, the admin console also uses the Admin
API to create resources. If I need to create resource in my resource
server, are there advantages in using the Protection API or shall I use the
Admin API for this case as well?


>
>>
>>>
>>> This message got way to long but I hope I was able to make my questions
>>> clear. Grateful for any help I can get!
>>>
>>> Best regards,
>>> Fabio Berta
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From mehdi.chaabouni at gmail.com  Wed Mar 20 10:00:46 2019
From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi)
Date: Wed, 20 Mar 2019 10:00:46 -0400
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
Message-ID: <CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>

Hi,

I'm using Azure Active Directory to authenticate users and I have setup
custom mappers to import roles (mapping groups from Active Directory to
Keycloak roles).
I'm pretty sure the scenario was not working before. There was a lot of
development on the front-end application so we didn't notice the problem
until we started using it.
When the problem occurs for a user, he's still logged in to the application
but all the features are disabled because he has no role (The assigned
roles section in keycloak is empty).

The logs I sent yesterday mention:
DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
task-1) Token will not be stored for identity provider [microsoft]

which is logged in the method
IdentityBrokerService.authenticated(BrokeredIdentityContext context)

Going through that method, I found this piece of code:

Set<IdentityProviderMapperModel> mappers =
realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
if (mappers != null) {
    KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
    for (IdentityProviderMapperModel mapper : mappers) {
        IdentityProviderMapper target =
(IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class,
mapper.getIdentityProviderMapper());
        target.preprocessFederatedIdentity(session, realmModel,
mapper, context);
    }
}

That's why I suspect that the mappers are not triggered.

Thanks!




On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Are you using a broker to authenticate your users ? Your setup is not
> clear if that is the case, so I'm not sure if the method you pointed out is
> related.
>
> Can you confirm that this scenario was working before?
>
> By losing roles, you mean they are not within the access token?
>
> Regards.
> Pedro Igor
>
>
>
> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
> wrote:
>
>> Hi,
>>
>> This is our Keycloak setup:
>>
>>    - Keycloak docker container 4.4.0.Final
>>    - Azure Active Directory (mapping groups to roles)
>>    - Keycloak client protocol: openid-connect
>>    - 3 optional client scopes
>
>
>>
>>
>> We noticed lately that users using the front-end application (angular) are
>> losing all roles after the SSO idle session expires.
>> This behaviour is also seen in the 4.8.3.Final version.
>> It seems that the Identity Provider Mappers are not triggered for some
>> reason and I can't dig any deeper nothing much is logged in the method
>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>
>> Any ideas?
>> How can I run Keycloak form source?
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From mizuki0621 at gmail.com  Wed Mar 20 10:17:39 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Wed, 20 Mar 2019 10:17:39 -0400
Subject: [keycloak-user] Authentication failed:
	org.jvnet.libpam.PAMException
In-Reply-To: <20190320135210.GA1572@abstractj.org>
References: <CAKCDg-AZKnqa7hDHqO8PViPOwMMZtGnbnUpZYfKLu7tY1iEGzQ@mail.gmail.com>
	<20190312153503.GA25306@abstractj.org>
	<CAKCDg-Cg2Rx66u2FX9o6HH06BybEX-nX7nL3AXPq0yAj_PCHBw@mail.gmail.com>
	<CAM5SUC5c4uzLM7ZYBGNuqT+NFOJ5JU81QtfzBAkZUi1k-0tQDQ@mail.gmail.com>
	<CAKCDg-DCEVvyXTxz72RUwJzWeDAeC7QaXCpE5xVwvNewCqd+wg@mail.gmail.com>
	<CAKCDg-BXDASCQyz6xFMZSVMiiRgYSaY=YMfdG8NxSpXYbgoDXw@mail.gmail.com>
	<20190320135210.GA1572@abstractj.org>
Message-ID: <CAKCDg-A5XpOyGL4HwEY5ACGgDG4X4hWv2sGGh=0r2_G2d1RXDA@mail.gmail.com>

Hi Bruno,

That's exactly what we were trying to do, in line with your suggestion(if I
interpreted your msg correctly) .
------
The only way to enable OTP using IPA + Keycloak is to scan the QR code on
IPA server and later use it with password + OTP in the Keycloak form.
------

Scan the QR code using IPA (NOT using KeyCloak QR code so be clear), it
only works when user has 'Two factor authentication' option checked as User
authentication type. if user also has 'password' checked, Keycloak fails to
authenticate users. But same PAM stack used by SSH authenticates user just
fine (all my previous emails proves that)

There are 3 types of 'User authentication types' to choose for individual
users in IPA:
- Password
- RADIUS
-Two factor authentication (password + OTP)

I'm attaching a screenshot from IPA Web UI.

Thanks.
Mizuki




On Wed, Mar 20, 2019 at 9:52 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Mizuki, I'm afraid to say that's not a bug. Some answers inline.
>
> On 2019-03-19, mizuki wrote:
> > Hi Bruno Et al,
> >
> > If possible, please advise the next approach, to me it seems like a bug.
> >
> > As a workaround, it is possible to enable OTP embedded with keycloak, we
> > the preferred way is to have QR code stored in the central database such
> as
> > IPA, so we can extend the features to other services ideaily (enabled OTP
> > on gateway for example).
>
> The only way to enable OTP using IPA + Keycloak is to scan the QR code on
> IPA server and later use it with password + OTP in the Keycloak form.
>
> >
> > Another question is, if it's possible to separate the Password & OTP for
> > users to type in instead of combining them in one input box.  SSH login
> > separates them as 'First Factor' and 'Second Factor' to allow you type in
> > separately which is nice. The OTP coming with Keyclak does the same
> > things,  Password and OTP are separate input boxes, ease to reduce the
> > possible mistakes. Especially when OTP is time based, it would be very
> much
> > a hassle for users to type in Password and OTP all at once in one box.
>
> That's not supported at the moment. Our team is unable to fit this
> suggestion into our current workload and priorities, but we would gladly
> review any PR submitted with tests and documentation.
>
> >
> > Please advice & thanks so much!
> > Mizuki
> >
> > On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621 at gmail.com> wrote:
> >
> > > See pamtester went successful with both cases (whether both OTP and
> > > password enabled or OTP only)
> > >
> > > Case 1: Both Password and OTP are enabled:
> > >
> > > *[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
> > > First Factor:
> > > Second Factor (optional):
> > > pamtester: successfully authenticated
> > >
> > > Case 2: Enabled OTP only:
> > > *[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
> > > First Factor:
> > > Second Factor:
> > > pamtester: successfully authenticated
> > >
> > > Note
> > > Thanks.
> > >
> > > On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org>
> > > wrote:
> > >
> > >> What is the output from pamtester?
> > >>
> > >> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
> > >>
> > >>> Thanks for the response, Bruno.
> > >>>
> > >>> I certainly went through the documents and examed configurations
> > >>> carefully. I attached KRB log from IPA server as well as
> /var/log/secure
> > >>> from Keycloak server as supporting evidences (high lighted with blue
> for
> > >>> important portions).
> > >>>
> > >>> In the case when both 'password' and 'otp' are enabled to the user in
> > >>> IPA, Keycloak failed to authenticate user with either the password
> or otp.
> > >>>
> > >>> [root at idm01 ~]# ipa user-show mmstestu
> > >>>   User login: mmstestu
> > >>>   First name: Test
> > >>>   Last name: 55555
> > >>>   Home directory: /u0b/mmstestu
> > >>>   Login shell: /bin/bash
> > >>>   Principal name: mmstestu at SDCC.BNL.GOV
> > >>>   Principal alias: mmstestu at SDCC.BNL.GOV
> > >>>   Kerberos principal expiration: 20690301145828Z
> > >>>   Email address: smithj4 at example.com
> > >>>   UID: 7041
> > >>>   GID: 9965
> > >>>   SSH public key fingerprint:
> > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> > >>>   User authentication types: otp, password
> > >>>   Account disabled: False
> > >>>   Password: True
> > >>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> > >>>   Member of HBAC rule: mktst1
> > >>>   Kerberos keys available: True
> > >>>
> > >>> Krb log on IPA server shows following:
> > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
> > >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV,
> Additional
> > >>> pre-authentication required
> > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
> > >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV,
> Incorrect
> > >>> password in encrypted challenge
> > >>>
> > >>> /var/log/secure log on KeyCloak server:
> > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
> > >>> user=mmstestu
> > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> received for user mmstestu: 17 (Failure setting user credentials)
> > >>>
> > >>> In ../log/server.log on KeyCloak server:
> > >>> 2019-03-14 16:24:36,844 ERROR
> > >>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
> > >>> Authentication failed: org.jvnet.libpam.PAMException:
> pam_authenticate
> > >>> failed : Permission denied
> > >>>     at org.jvnet.libpam.PAM.check(PAM.java:113)
> > >>>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> > >>>     at
> > >>>
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> > >>>     at
> > >>>
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> > >>>     at
> > >>>
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> > >>>     at
> > >>>
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> > >>>     at
> > >>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> > >>>     at
> > >>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> > >>>     at
> > >>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> > >>>     at
> > >>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> > >>>     at
> > >>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> > >>>     at
> > >>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> > >>>     at
> > >>>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> > >>>     at
> > >>>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> > >>>     at
> > >>>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> > >>>     at
> > >>>
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> > >>>     at
> > >>>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> > >>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >>>     at
> > >>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
> > >>>     at
> > >>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> > >>>     at java.lang.reflect.Method.invoke(Method.java:508)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > >>>     at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > >>>     at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > >>>     at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > >>>     at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > >>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > >>>     at
> > >>>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > >>>     at
> > >>>
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > >>>     at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > >>>     at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>     at
> > >>>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > >>>     at
> > >>>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > >>>     at
> > >>>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > >>>     at
> > >>>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > >>>     at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > >>>     at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > >>>     at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > >>>     at
> > >>>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > >>>     at
> > >>>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>     at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > >>>     at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > >>>     at
> > >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > >>>     at
> > >>>
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > >>>     at
> > >>>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> > >>>     at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> > >>>     at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> > >>>     at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> > >>>     at java.lang.Thread.run(Thread.java:812)
> > >>>
> > >>> Then if I remove the 'password' option and leaves 'otp' only for the
> > >>> user, KeyCloak does actually authenticate fine (password + QRCode
> combined
> > >>> with no space): Following are logs when it successes:
> > >>>
> > >>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
> > >>> ------------------------
> > >>> Modified user "mmstestu"
> > >>> ------------------------
> > >>>   User login: mmstestu
> > >>>   First name: Test
> > >>>   Last name: 55555
> > >>>   Home directory: /u0b/mmstestu
> > >>>   Login shell: /bin/bash
> > >>>   Principal name: mmstestu at SDCC.BNL.GOV
> > >>>   Principal alias: mmstestu at SDCC.BNL.GOV
> > >>>   Kerberos principal expiration: 20690301145828Z
> > >>>   Email address: smithj4 at example.com
> > >>>   UID: 7041
> > >>>   GID: 9965
> > >>>   SSH public key fingerprint:
> > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> > >>>   User authentication types: otp
> > >>>   Account disabled: False
> > >>>   Password: True
> > >>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> > >>>   Member of HBAC rule: mktst1
> > >>>   Kerberos keys available: True
> > >>>
> > >>> In KRB log on IPA server:
> > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> > >>> krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV
> > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> > >>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
> > >>>
> > >>> In /var/log/secure on KeyCloak server:
> > >>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
> > >>> user=mmstestu
> > >>>
> > >>> Please advice.
> > >>> Thanks.
> > >>> Mizuki
> > >>>
> > >>>
> > >>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org
> >
> > >>> wrote:
> > >>>
> > >>>> Hi Mizuki,
> > >>>>
> > >>>> In the scenario you described Keycloak just relies on PAM to
> > >>>> authenticate the user.  What I'd do before configure Keycloak is to
> try
> > >>>> dbus-send and pamtester, just to make sure that my setup works.
> > >>>>
> > >>>> So here's my suggestion, try to run pamtester -v keycloak
> youruser.  If
> > >>>> pamtester does not authenticate your user, there's a chance that
> > >>>> something is wrong with your setup. Certainly worth to review our
> > >>>> docs[1].
> > >>>>
> > >>>> [1] -
> > >>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
> > >>>>
> > >>>> On 2019-03-05, mizuki wrote:
> > >>>> > Hi,
> > >>>> >
> > >>>> > We are currently evaluating keycloak as a possible authentication
> > >>>> mechanism
> > >>>> > deployed to our facility.
> > >>>> > We use kerberos for user authentication with FreeIPA and
> configured
> > >>>> sssd
> > >>>> > for user federation in keycloak (follow the official document both
> > >>>> from
> > >>>> > keycloak and freeipa.org)
> > >>>> > One of the requirement we desire is to enable kerboros password
> for
> > >>>> SSH
> > >>>> > login and enabled 'otp' for HTTP based applications.
> > >>>> >
> > >>>> > To do so,
> > >>>> > 1. We enabled both user-auth-types for the user:
> > >>>> > - password
> > >>>> > - password + otp
> > >>>> >
> > >>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
> > >>>> following
> > >>>> > services: (I purposely did not enable 'otp' at this point as I
> want to
> > >>>> > verify both 'password' and 'otp' shall work)
> > >>>> > - keycloak
> > >>>> > - sshd
> > >>>> >
> > >>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
> > >>>> PAM/SSSD,
> > >>>> > then I went ahead and accessed URL that is protected by keycloak,
> > >>>> > 'password' works but 'otp' won't, the following ERRORs were seen
> in
> > >>>> > keycloak's server.log:
> > >>>> > -----------
> > >>>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default
> task-22)
> > >>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> > >>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b,
> ipAddress=130.199.6.120,
> > >>>> > error=invalid_user_credentials, auth_method=openid-connect,
> > >>>> auth_type=code,
> > >>>> > redirect_uri=https://www.example.com/secure/
> > >>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
> > >>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> > >>>> > 2019-03-04 17:01:43,033 ERROR
> > >>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default
> task-22)
> > >>>> > Authentication failed: org.jvnet.libpam.PAMException:
> pam_authenticate
> > >>>> > failed : Permission denied
> > >>>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
> > >>>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> > >>>> >
> > >>>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown
> Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> > >>>> >
> > >>>> >     at java.lang.reflect.Method.invoke(Method.java:508)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > >>>> >
> > >>>> >     at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > >>>> >
> > >>>> >     at
> > >>>> >
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > >>>> >
> > >>>> >     at
> > >>>> >
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > >>>> >     at
> > >>>> >
> > >>>>
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> > >>>> >
> > >>>> >     at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> > >>>> >
> > >>>> >     at java.lang.Thread.run(Thread.java:812)
> > >>>> > ------------------
> > >>>> >
> > >>>> > Interesting thing is keycloak handles OTP just fine if I have
> > >>>> > 'password+otp' only checked on,  then we won't be able to log
> onto the
> > >>>> > machines via SSH using password, that defeats our purposes.
> > >>>> >
> > >>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
> > >>>> version
> > >>>> > (on REHL 7), all got the same results.
> > >>>> > I'm wondering if this is more likely a bug or I missed something.
> > >>>> > I'd appreciate if someone can advice what the approach is.
> > >>>> >
> > >>>> > Thank you very much.
> > >>>> >
> > >>>> > Mizuki
> > >>>> > _______________________________________________
> > >>>> > keycloak-user mailing list
> > >>>> > keycloak-user at lists.jboss.org
> > >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>
> > >>>> --
> > >>>>
> > >>>> abstractj
> > >>>>
> > >>>
>
> --
>
> abstractj
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-03-20 at 10.14.49 AM.png
Type: image/png
Size: 50321 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190320/728137d6/attachment-0001.png 

From psilva at redhat.com  Wed Mar 20 10:32:46 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 11:32:46 -0300
Subject: [keycloak-user] Authorisation services: resource server
	managing permissions
In-Reply-To: <CAPqQPyoh1x1nzsf0AsM+pnLydn4UYE18ekJbf2Bv65moJZd1rw@mail.gmail.com>
References: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
	<CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>
	<CAJrcDBeMN3mvRYdikHVG4o_gjjfbs4fojZ+UrWd07v+J4+Ev-A@mail.gmail.com>
	<CAPqQPyoh1x1nzsf0AsM+pnLydn4UYE18ekJbf2Bv65moJZd1rw@mail.gmail.com>
Message-ID: <CAJrcDBeLeChuBU0Euht312bZR3f-mGC202Km96qJ=Nu6bpAM1A@mail.gmail.com>

On Wed, Mar 20, 2019 at 10:54 AM Fabio Berta <fnberta at gmail.com> wrote:

> Hi Pedro,
>
> Thank you very much for quick answer, very helpful!
>
> Pedro Igor Silva <psilva at redhat.com> schrieb am Mi., 20. M?rz 2019 um
> 14:08 Uhr:
>
>> Correction ... You can also push claims using node-js-adapter
>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L172
>> .
>>
>> On Wed, Mar 20, 2019 at 10:05 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Wed, Mar 20, 2019 at 9:36 AM Fabio Berta <fnberta at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>> I have a couple of questions regarding Keycloak's authorisation
>>>> services.
>>>> Premiss:
>>>> - I don't really need the whole user managed permissions and permission
>>>> sharing features that UMA gives. All permissions are given by admin
>>>> users.
>>>> - My resource server is a NodeJS application, hence I cannot use the
>>>> pre-made Java adapters
>>>>
>>>
>>> Did you had a change to look the node-js-adapter [1] ?
>>>
>>
> Yes, thanks! We actually used the node-js-adapter for inspiration in a lot
> of cases when building our own custom adapter (which only supports a small
> subset of the node-js-adapter and also does other things).
>
>
>>
>>> [1]
>>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L156
>>>
>>>
>>>> - I'm not sending RPT tokens to public clients at the moment, the
>>>> resource
>>>> server checks permissions by making a request to Keycloak
>>>>
>>>> Let's assume I want to protect the entity "Config". I need to restrict
>>>> create/delete/update rights for all configs and read rights for every
>>>> single instance of config. To achieve that, I created the the scopes
>>>> "config:read", "config:create", "config:delete" and "config:update". I
>>>> created the resource "config" and attached the scopes "config:create",
>>>> "config:delete" and "config:update". Because only users with the realm
>>>> role
>>>> "admin" should be able to create/update/delete, I created a role based
>>>> policy specifying the "admin" role and connected it with the resource
>>>> "config" and the scopes "config:create", "config:delete" and
>>>> "config:update" in a scope-based permission.  So far everything is
>>>> pretty
>>>> straightforward and works well.
>>>>
>>>> Where it's get more complicated is the read rights for individual
>>>> configs.
>>>> What I have in mind is an interface where admins can create configs and
>>>> manage permissions for them without going through the keycloak admin
>>>> console. Whenever an admin creates a new config, the resource server
>>>> creates a corresponding resource (e.g. config/configId) and stores the
>>>> id
>>>> of the resource next to the config. I can do that with Protection API
>>>> (authz/protection/resource_set).
>>>>
>>>
>>> Another approach to this problem would be to push claims to your
>>> policies so you could avoid creating resources for every single config.
>>>
>>> For the Java-based adapter we have the concept of Claim Information
>>> Points [1], which basically defines a repository from where the adapter
>>> should obtain additional claims in order to push these claims to the server
>>> along with an authorization request. You can also look here [2] for more
>>> details about how to send these same claims directly to the token endpoint.
>>>
>>> With this approach, you would have a single "Config" resource and
>>> specific permissions for both write (create/delete/update) and read
>>> operations. For admin, you are fine as you just need a role-policy to check
>>> if a user is granted with the admin role. But for read, you could write a
>>> JS-policy [3] that matches the subject making the request with a specific
>>> claim that your resource server is pushing to the server, where this claim
>>> would contain the user ids or names, for instance. In a nutshell, you are
>>> basically making your policy model more flexible so the resource server is
>>> in charge to actually pass which users are allowed to access. The good side
>>> of this is that it avoids you create resources in Keycloak. The bad side is
>>> that your resource server is responsible to push this information, but
>>> maybe this is something you already have in the RS.
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>>> [2]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims
>>>
>>>
> Interesting, so this would mean that my resource server would need to keep
> track of which users have access to wich config. My fear would be that this
> logic could get complex quite fast when it has to track a mixture of groups
> and users permissions (I would basically be re-implementing the different
> policies keycloak offers I guess? Although currently only user and group
> are relevant for us.). We also have multiple resource servers which all
> talk to the same keycloak instance. If the resource server needs to keep
> track of all permissions, I would need to have this logic in every resource
> server. The beauty of having the resources in keycloak would be that the
> resource servers would only need to store the resourceId for every config
> (or any other entity) and nothing else. Or am I missing something?
>

Yeah, that is the bad side I mentioned. Just wanted to put another solution
on the table.

There is another one that may help with your problem too. Resources have
attributes and you could use attributes to keep track of the list of users
or groups that are allowed to access the resources. Then, in a JS policy,
you could match subject vs users/groups in the resource's attribute.


>
> Follow-up question would be, is creating resources for every single config
> a bad thing and would you in general advise against it? I assume the list
> of resources would get very big over time but I don't know if that's a
> problem? I guess it could be when I need to query keycloak for all
> resources a user has access to in order to list them. If this is list is
> huge, this could get costly at some point.
>

There is nothing wrong in managing a huge amount of resources in the
server. The admin console should behave fine as well as policy evaluation.
The policy evaluation should be optimized for processing permissions for a
set of one or more resources (when you specify the resources/scopes in the
authorization request), but a "give me all entitlements" approach may
suffer a bit ...

Maybe one thing we could do though is to also allow the resource server to
have user-managed resources, where the user, in this case, would be the
service account. That would simplify your use case a lot as you would just
need to create the resource and use the Policy API (through a single API,
the Protection API). But this is something that needs more discussion as we
are quite moving out of the scope ...


>
>
>>
>>>> What I have not yet figured out is how the resource server can set
>>>> permissions at this point. Let's assume the admin has specified two
>>>> users
>>>> that should be able to access the new config. The resource server should
>>>> create a new user based policy containing the two users and connect it
>>>> with
>>>> the "config/configId" resource and the scope "config:read" in a
>>>> scope-based
>>>> permission. From the documentation it looks like the Policy API might be
>>>> able to handle this. But two things confuse me:
>>>> - It says "This API is protected by a bearer token that must represent a
>>>> consent granted by the user to the resource server to manage
>>>> permissions on
>>>> his behalf". I don't need to manage on the users behalf, the resource is
>>>> owned by the resource server and the created permission would also be
>>>> owned
>>>> by the resource server.
>>>> - The examples for the API somehow combine policies and permissions into
>>>> one?
>>>> I tried to use this API with a token obtained via the client credentials
>>>> grant but it failed to create permissions (empty response and nothing
>>>> got
>>>> created).
>>>>
>>>> I see that the Java Admin Client has the ability to manage permissions
>>>> but
>>>> I can't find documentation on the REST endpoints it uses. (
>>>> https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't
>>>> contain
>>>> anything authz related). Would the Admin API be the thing to use here or
>>>> can I do this with the Policy API? Or maybe my approach is fundamentally
>>>> flawed and I should approach this from another angle?
>>>>
>>>
>>> The Policy API is really for UMA protected resources. It is not an
>>> option in your case.
>>>
>>> To achieve your goal, you would need the Admin API. We don't have it
>>> documented because it is mainly used by our administration console. For
>>> now, you could just capture the requests that the admin console is
>>> performing to manage permissions and policies. The API provides a specific
>>> endpoint for each policy/permission type as well a specific payload.
>>>
>>
> I see, thanks! A related question, the admin console also uses the Admin
> API to create resources. If I need to create resource in my resource
> server, are there advantages in using the Protection API or shall I use the
> Admin API for this case as well?
>

For your particular case, I think the Admin API. The reason is that you
will also need to manage permission and policies and you probably want to
avoid using two distinct APIs.


>
>
>>
>>>
>>>>
>>>> This message got way to long but I hope I was able to make my questions
>>>> clear. Grateful for any help I can get!
>>>>
>>>> Best regards,
>>>> Fabio Berta
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From psilva at redhat.com  Wed Mar 20 10:42:33 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 11:42:33 -0300
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
Message-ID: <CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>

Your custom mappers are client mappers or identity provider mappers ? It
does not make sense an empty list of mappers if you have defined mappers to
your identity provider.

On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
wrote:

> Hi,
>
> I'm using Azure Active Directory to authenticate users and I have setup
> custom mappers to import roles (mapping groups from Active Directory to
> Keycloak roles).
> I'm pretty sure the scenario was not working before. There was a lot of
> development on the front-end application so we didn't notice the problem
> until we started using it.
> When the problem occurs for a user, he's still logged in to the
> application but all the features are disabled because he has no role (The
> assigned roles section in keycloak is empty).
>
> The logs I sent yesterday mention:
> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
> task-1) Token will not be stored for identity provider [microsoft]
>
> which is logged in the method
> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>
> Going through that method, I found this piece of code:
>
> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
> if (mappers != null) {
>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>     for (IdentityProviderMapperModel mapper : mappers) {
>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>     }
> }
>
> That's why I suspect that the mappers are not triggered.
>
> Thanks!
>
>
>
>
> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Are you using a broker to authenticate your users ? Your setup is not
>> clear if that is the case, so I'm not sure if the method you pointed out is
>> related.
>>
>> Can you confirm that this scenario was working before?
>>
>> By losing roles, you mean they are not within the access token?
>>
>> Regards.
>> Pedro Igor
>>
>>
>>
>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>> mehdi.chaabouni at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> This is our Keycloak setup:
>>>
>>>    - Keycloak docker container 4.4.0.Final
>>>    - Azure Active Directory (mapping groups to roles)
>>>    - Keycloak client protocol: openid-connect
>>>    - 3 optional client scopes
>>
>>
>>>
>>>
>>> We noticed lately that users using the front-end application (angular)
>>> are
>>> losing all roles after the SSO idle session expires.
>>> This behaviour is also seen in the 4.8.3.Final version.
>>> It seems that the Identity Provider Mappers are not triggered for some
>>> reason and I can't dig any deeper nothing much is logged in the method
>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>
>>> Any ideas?
>>> How can I run Keycloak form source?
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>

From fnberta at gmail.com  Wed Mar 20 11:25:23 2019
From: fnberta at gmail.com (Fabio Berta)
Date: Wed, 20 Mar 2019 16:25:23 +0100
Subject: [keycloak-user] Authorisation services: resource server
	managing permissions
In-Reply-To: <CAJrcDBeLeChuBU0Euht312bZR3f-mGC202Km96qJ=Nu6bpAM1A@mail.gmail.com>
References: <CAPqQPyqKn3sF6YAs8ZdzDUTiMhgFW6i3CSWPOvxvL0ZhR-AOWQ@mail.gmail.com>
	<CAJrcDBdSrR+szvAx1DiJpOxrDKPpRczz026S16+Hbu3pbDWVOg@mail.gmail.com>
	<CAJrcDBeMN3mvRYdikHVG4o_gjjfbs4fojZ+UrWd07v+J4+Ev-A@mail.gmail.com>
	<CAPqQPyoh1x1nzsf0AsM+pnLydn4UYE18ekJbf2Bv65moJZd1rw@mail.gmail.com>
	<CAJrcDBeLeChuBU0Euht312bZR3f-mGC202Km96qJ=Nu6bpAM1A@mail.gmail.com>
Message-ID: <CAPqQPyo+9afruc8EsQjr_OLK6U-kpkzuA=Of5VSSnNS_DKE7NQ@mail.gmail.com>

Pedro Igor Silva <psilva at redhat.com> schrieb am Mi., 20. M?rz 2019 um
15:32 Uhr:

> On Wed, Mar 20, 2019 at 10:54 AM Fabio Berta <fnberta at gmail.com> wrote:
>
>> Hi Pedro,
>>
>> Thank you very much for quick answer, very helpful!
>>
>> Pedro Igor Silva <psilva at redhat.com> schrieb am Mi., 20. M?rz 2019 um
>> 14:08 Uhr:
>>
>>> Correction ... You can also push claims using node-js-adapter
>>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L172
>>> .
>>>
>>> On Wed, Mar 20, 2019 at 10:05 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 9:36 AM Fabio Berta <fnberta at gmail.com> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I have a couple of questions regarding Keycloak's authorisation
>>>>> services.
>>>>> Premiss:
>>>>> - I don't really need the whole user managed permissions and permission
>>>>> sharing features that UMA gives. All permissions are given by admin
>>>>> users.
>>>>> - My resource server is a NodeJS application, hence I cannot use the
>>>>> pre-made Java adapters
>>>>>
>>>>
>>>> Did you had a change to look the node-js-adapter [1] ?
>>>>
>>>
>> Yes, thanks! We actually used the node-js-adapter for inspiration in a
>> lot of cases when building our own custom adapter (which only supports a
>> small subset of the node-js-adapter and also does other things).
>>
>>
>>>
>>>> [1]
>>>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L156
>>>>
>>>>
>>>>> - I'm not sending RPT tokens to public clients at the moment, the
>>>>> resource
>>>>> server checks permissions by making a request to Keycloak
>>>>>
>>>>> Let's assume I want to protect the entity "Config". I need to restrict
>>>>> create/delete/update rights for all configs and read rights for every
>>>>> single instance of config. To achieve that, I created the the scopes
>>>>> "config:read", "config:create", "config:delete" and "config:update". I
>>>>> created the resource "config" and attached the scopes "config:create",
>>>>> "config:delete" and "config:update". Because only users with the realm
>>>>> role
>>>>> "admin" should be able to create/update/delete, I created a role based
>>>>> policy specifying the "admin" role and connected it with the resource
>>>>> "config" and the scopes "config:create", "config:delete" and
>>>>> "config:update" in a scope-based permission.  So far everything is
>>>>> pretty
>>>>> straightforward and works well.
>>>>>
>>>>> Where it's get more complicated is the read rights for individual
>>>>> configs.
>>>>> What I have in mind is an interface where admins can create configs and
>>>>> manage permissions for them without going through the keycloak admin
>>>>> console. Whenever an admin creates a new config, the resource server
>>>>> creates a corresponding resource (e.g. config/configId) and stores the
>>>>> id
>>>>> of the resource next to the config. I can do that with Protection API
>>>>> (authz/protection/resource_set).
>>>>>
>>>>
>>>> Another approach to this problem would be to push claims to your
>>>> policies so you could avoid creating resources for every single config.
>>>>
>>>> For the Java-based adapter we have the concept of Claim Information
>>>> Points [1], which basically defines a repository from where the adapter
>>>> should obtain additional claims in order to push these claims to the server
>>>> along with an authorization request. You can also look here [2] for more
>>>> details about how to send these same claims directly to the token endpoint.
>>>>
>>>> With this approach, you would have a single "Config" resource and
>>>> specific permissions for both write (create/delete/update) and read
>>>> operations. For admin, you are fine as you just need a role-policy to check
>>>> if a user is granted with the admin role. But for read, you could write a
>>>> JS-policy [3] that matches the subject making the request with a specific
>>>> claim that your resource server is pushing to the server, where this claim
>>>> would contain the user ids or names, for instance. In a nutshell, you are
>>>> basically making your policy model more flexible so the resource server is
>>>> in charge to actually pass which users are allowed to access. The good side
>>>> of this is that it avoids you create resources in Keycloak. The bad side is
>>>> that your resource server is responsible to push this information, but
>>>> maybe this is something you already have in the RS.
>>>>
>>>> [1]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>>>> [2]
>>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims
>>>>
>>>>
>> Interesting, so this would mean that my resource server would need to
>> keep track of which users have access to wich config. My fear would be that
>> this logic could get complex quite fast when it has to track a mixture of
>> groups and users permissions (I would basically be re-implementing the
>> different policies keycloak offers I guess? Although currently only user
>> and group are relevant for us.). We also have multiple resource servers
>> which all talk to the same keycloak instance. If the resource server needs
>> to keep track of all permissions, I would need to have this logic in every
>> resource server. The beauty of having the resources in keycloak would be
>> that the resource servers would only need to store the resourceId for every
>> config (or any other entity) and nothing else. Or am I missing something?
>>
>
> Yeah, that is the bad side I mentioned. Just wanted to put another
> solution on the table.
>
> There is another one that may help with your problem too. Resources have
> attributes and you could use attributes to keep track of the list of users
> or groups that are allowed to access the resources. Then, in a JS policy,
> you could match subject vs users/groups in the resource's attribute.
>

That's another interesting suggestion, I will look into this, thanks!


>
>
>>
>> Follow-up question would be, is creating resources for every single
>> config a bad thing and would you in general advise against it? I assume the
>> list of resources would get very big over time but I don't know if that's a
>> problem? I guess it could be when I need to query keycloak for all
>> resources a user has access to in order to list them. If this is list is
>> huge, this could get costly at some point.
>>
>
> There is nothing wrong in managing a huge amount of resources in the
> server. The admin console should behave fine as well as policy evaluation.
> The policy evaluation should be optimized for processing permissions for a
> set of one or more resources (when you specify the resources/scopes in the
> authorization request), but a "give me all entitlements" approach may
> suffer a bit ...
>

Awesome, in that case I'm leaning towards going with the creating a
resource for every config. This seems like the cleanest solution to me and
would also make it easier to switch to a UMA flow if user managed
permissions should every become a requirement at some point in the future.

For the "give me all permissions" use case, I can always pass the
"config:read" scope as the permission param of the token query with
"urn:ietf:params:oauth:grant-type:uma-ticket" grant type. I think this
should keep the size of the returned list manageable.


>
> Maybe one thing we could do though is to also allow the resource server to
> have user-managed resources, where the user, in this case, would be the
> service account. That would simplify your use case a lot as you would just
> need to create the resource and use the Policy API (through a single API,
> the Protection API). But this is something that needs more discussion as we
> are quite moving out of the scope ...
>

Yes, that was basically what I had in mind when I tried using the Policy
API. If this is something you are considering, I'm happy to provide more
details on our use cases if that helps. For now I think I can achieve a
similar thing by using the Admin API for creating resources and permissions
as you suggested.


>
>
>>
>>
>>>
>>>>> What I have not yet figured out is how the resource server can set
>>>>> permissions at this point. Let's assume the admin has specified two
>>>>> users
>>>>> that should be able to access the new config. The resource server
>>>>> should
>>>>> create a new user based policy containing the two users and connect it
>>>>> with
>>>>> the "config/configId" resource and the scope "config:read" in a
>>>>> scope-based
>>>>> permission. From the documentation it looks like the Policy API might
>>>>> be
>>>>> able to handle this. But two things confuse me:
>>>>> - It says "This API is protected by a bearer token that must represent
>>>>> a
>>>>> consent granted by the user to the resource server to manage
>>>>> permissions on
>>>>> his behalf". I don't need to manage on the users behalf, the resource
>>>>> is
>>>>> owned by the resource server and the created permission would also be
>>>>> owned
>>>>> by the resource server.
>>>>> - The examples for the API somehow combine policies and permissions
>>>>> into
>>>>> one?
>>>>> I tried to use this API with a token obtained via the client
>>>>> credentials
>>>>> grant but it failed to create permissions (empty response and nothing
>>>>> got
>>>>> created).
>>>>>
>>>>> I see that the Java Admin Client has the ability to manage permissions
>>>>> but
>>>>> I can't find documentation on the REST endpoints it uses. (
>>>>> https://www.keycloak.org/docs-api/5.0/rest-api/index.html doesn't
>>>>> contain
>>>>> anything authz related). Would the Admin API be the thing to use here
>>>>> or
>>>>> can I do this with the Policy API? Or maybe my approach is
>>>>> fundamentally
>>>>> flawed and I should approach this from another angle?
>>>>>
>>>>
>>>> The Policy API is really for UMA protected resources. It is not an
>>>> option in your case.
>>>>
>>>> To achieve your goal, you would need the Admin API. We don't have it
>>>> documented because it is mainly used by our administration console. For
>>>> now, you could just capture the requests that the admin console is
>>>> performing to manage permissions and policies. The API provides a specific
>>>> endpoint for each policy/permission type as well a specific payload.
>>>>
>>>
>> I see, thanks! A related question, the admin console also uses the Admin
>> API to create resources. If I need to create resource in my resource
>> server, are there advantages in using the Protection API or shall I use the
>> Admin API for this case as well?
>>
>
> For your particular case, I think the Admin API. The reason is that you
> will also need to manage permission and policies and you probably want to
> avoid using two distinct APIs.
>

I see, make sense. Will switch to the Admin API then for managing
resources.

>
>
>>
>>
>>>
>>>>
>>>>>
>>>>> This message got way to long but I hope I was able to make my questions
>>>>> clear. Grateful for any help I can get!
>>>>>
>>>>> Best regards,
>>>>> Fabio Berta
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

From mehdi.chaabouni at gmail.com  Wed Mar 20 11:52:58 2019
From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi)
Date: Wed, 20 Mar 2019 11:52:58 -0400
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
	<CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
Message-ID: <CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>

They are identity provider mappers.

We do see in the logs that groups being received from AD:

{
  "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
  "amr": "[\"pwd\",\"mfa\"]",
  "family_name": "Chaabouni",
  "given_name": "Mehdi",
  "ipaddr": "207.96.238.194",
  "name": "Mehdi Chaabouni",
  "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
  "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
  "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
  "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
  "unique_name": "mchaabouni at test.com",
  "upn": "mchaabouni at test.com",
  "uti": "ea2dC_nciUGsfUk4mr4SAQ",
  "ver": "1.0",
  "groups": [
    "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
  ]
}


The groups are mapped correctly the first time that the user is imported
into keycloak.


On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Your custom mappers are client mappers or identity provider mappers ? It
> does not make sense an empty list of mappers if you have defined mappers to
> your identity provider.
>
> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
> mehdi.chaabouni at gmail.com> wrote:
>
>> Hi,
>>
>> I'm using Azure Active Directory to authenticate users and I have setup
>> custom mappers to import roles (mapping groups from Active Directory to
>> Keycloak roles).
>> I'm pretty sure the scenario was not working before. There was a lot of
>> development on the front-end application so we didn't notice the problem
>> until we started using it.
>> When the problem occurs for a user, he's still logged in to the
>> application but all the features are disabled because he has no role (The
>> assigned roles section in keycloak is empty).
>>
>> The logs I sent yesterday mention:
>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>> task-1) Token will not be stored for identity provider [microsoft]
>>
>> which is logged in the method
>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>
>> Going through that method, I found this piece of code:
>>
>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>> if (mappers != null) {
>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>     for (IdentityProviderMapperModel mapper : mappers) {
>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>     }
>> }
>>
>> That's why I suspect that the mappers are not triggered.
>>
>> Thanks!
>>
>>
>>
>>
>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Are you using a broker to authenticate your users ? Your setup is not
>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>> related.
>>>
>>> Can you confirm that this scenario was working before?
>>>
>>> By losing roles, you mean they are not within the access token?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>>
>>>
>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>> mehdi.chaabouni at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> This is our Keycloak setup:
>>>>
>>>>    - Keycloak docker container 4.4.0.Final
>>>>    - Azure Active Directory (mapping groups to roles)
>>>>    - Keycloak client protocol: openid-connect
>>>>    - 3 optional client scopes
>>>
>>>
>>>>
>>>>
>>>> We noticed lately that users using the front-end application (angular)
>>>> are
>>>> losing all roles after the SSO idle session expires.
>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>> It seems that the Identity Provider Mappers are not triggered for some
>>>> reason and I can't dig any deeper nothing much is logged in the method
>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>
>>>> Any ideas?
>>>> How can I run Keycloak form source?
>>>>
>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>

From roxspring at imapmail.org  Wed Mar 20 12:34:55 2019
From: roxspring at imapmail.org (roxspring at imapmail.org)
Date: Wed, 20 Mar 2019 16:34:55 -0000
Subject: [keycloak-user] Listing the UMA resources accessible by a user
In-Reply-To: <095301d4d4f4$9f4624b0$ddd26e10$@imapmail.org>
References: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>	<CAJrcDBcu1pwnK8TsBmoXybOv9gssKD-+1dddOVSz2ia3XhBH3A@mail.gmail.com>
	<095301d4d4f4$9f4624b0$ddd26e10$@imapmail.org>
Message-ID: <035101d4df3a$dac57d60$90507820$@imapmail.org>

Using a modern API client definitely improves things but I'm struggling to see how this scales.

If there are 1000+ of resources then the policy seems to have to load each in turn for the policy to execute (at least according to the Java and JavaScript Policy Evaluation API). Presumably running a Java policy will be faster than the JavaScript ones I've played with but fundamentally there's a lot of database access.

Do other built in policies get to use SQL filters and indexes to operate at database speed? - perhaps I need to restrict myself to those sorts of policies to handle large numbers of resources??

Or for 1000+ of resources am I better off having my resource server take control of ownership and not using UMA for it at all?

Keycloak's UMA appears to offers great flexibility, and is great when you already know the resources, but falls down for resource discovery. Or am I missing something?

I'm curious to know of other people's experience with Keycloak UMA + scale!

Thanks,

Rob

> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-
> bounces at lists.jboss.org> On Behalf Of roxspring at imapmail.org
> Sent: 07 March 2019 14:47
> To: 'Pedro Igor Silva' <psilva at redhat.com>
> Cc: 'keycloak-user' <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user
> 
> Thanks Pedro ? that gives me something to try out!
> 
> 
> 
> (Turns out I was using an old client and didn?t have that API available? time for
> some upgrades!)
> 
> 
> 
> From: Pedro Igor Silva <psilva at redhat.com>
> Sent: 07 March 2019 13:36
> To: roxspring at imapmail.org
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Listing the UMA resources accessible by a user
> 
> 
> 
> Hi,
> 
> 
> 
> We have an API that allows you to resources shared to a specific user if the
> access was granted based on the standard UMA flow (using permission tickets).
> The Keycloak AuthZ Java Client [1] provides access to this API.
> 
> 
> 
> [1]
> https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1
> 1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res
> ource/PermissionResource.java#L197
> 
> 
> 
> On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org
> <mailto:roxspring at imapmail.org> > wrote:
> 
> Hi folks,
> 
> 
> 
> UMA seems to be a great solution to model fine grained permissions and allow
> scenarios such as "Alice shares Folder X with Bob".
> 
> 
> 
> Keycloak seems to implement this well with APIs for the resource server to ask
> "Given [User] and [Folder X], can the user do [Scope]?" and provide answers for
> both Alice and Bob based on some policy.
> 
> 
> 
> Where I'm struggling is that our application also needs to provide answer "Given
> [User], which folders can they do [Scope] to?" and I'm not clear how best to
> achieve this with Keycloak.
> 
> 
> 
> A.      Track which folders a user owns or can access and answer the
> question directly in the resource server, but that results in the resource server
> having a rigid model of the authorization rules and loses the benefits of
> Keycloak's flexible policies (or duplicates the policy which seems just as bad).
> B.      Have the resource server chose some subset of all folders and ask
> Keycloak to validate each resource, but that becomes very chatty and slow
> when there are 1000s of resources to validate.
> C.      Just ask Keycloak to validate all resources and just return those
> the user can access, but that's also potentially slow with 1000s of resources to
> validate and 100s accessible.
> 
> a.      As above but with additional filtering by resource type to trim the
> options.
> b.      As above but with additional filtering by attributes (e.g. where
> property:owner = "Alice")
> c.      As above but with a full blown query language (e.g. "WHERE
> type=Folder AND (property:owner=Alice OR property:sharedwith contains Alice)
> 
> D.      .?
> 
> 
> 
> I was expecting some variant of C to be the recommended way forward but I
> can't find the relevant APIs (even without filtering). What's the best way to
> model such a (presumably common) scenario?
> 
> 
> 
> Thanks,
> 
> 
> 
> Rob
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From psilva at redhat.com  Wed Mar 20 13:49:09 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 14:49:09 -0300
Subject: [keycloak-user] Listing the UMA resources accessible by a user
In-Reply-To: <035101d4df3a$dac57d60$90507820$@imapmail.org>
References: <08cf01d4d4e8$0d7e9e10$287bda30$@imapmail.org>
	<CAJrcDBcu1pwnK8TsBmoXybOv9gssKD-+1dddOVSz2ia3XhBH3A@mail.gmail.com>
	<095301d4d4f4$9f4624b0$ddd26e10$@imapmail.org>
	<035101d4df3a$dac57d60$90507820$@imapmail.org>
Message-ID: <CAJrcDBfv5B2go792hj99ZgedjiPbbwPx7NH-TXuGDAnxD3EyLw@mail.gmail.com>

On Wed, Mar 20, 2019 at 1:35 PM <roxspring at imapmail.org> wrote:

> Using a modern API client definitely improves things but I'm struggling to
> see how this scales.
>
> If there are 1000+ of resources then the policy seems to have to load each
> in turn for the policy to execute (at least according to the Java and
> JavaScript Policy Evaluation API). Presumably running a Java policy will be
> faster than the JavaScript ones I've played with but fundamentally there's
> a lot of database access.


> Do other built in policies get to use SQL filters and indexes to operate
> at database speed? - perhaps I need to restrict myself to those sorts of
> policies to handle large numbers of resources??


> Or for 1000+ of resources am I better off having my resource server take
> control of ownership and not using UMA for it at all?
>

Resources are loaded depending on the requested permissions. And yeah, JS
is using Nashorn and it is indeed slower than other policy types. You
should not see a lot of database access though as we cache entries such as
resources, permissions and policies. Authorization requests should benefit
from this cache once it is hot.
When doing UMA you usually make authorization requests for a single
resource (the one you received the ticket from the resource server
response). And evaluation should be fast. The same goes if you make
authorization requests for specific resources.

During evaluation the engine also tries to avoid re-evaluating policies
that were already processed for a given resource or scopes.


>
> Keycloak's UMA appears to offers great flexibility, and is great when you
> already know the resources, but falls down for resource discovery. Or am I
> missing something?
>

Yeah, you are right. Although we allow you to query permissions based on
resource names and scopes. In case your client is aware of the resources
and scopes protected by the RS.


>
> I'm curious to know of other people's experience with Keycloak UMA + scale!
>
> Thanks,
>
> Rob
>
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-
> > bounces at lists.jboss.org> On Behalf Of roxspring at imapmail.org
> > Sent: 07 March 2019 14:47
> > To: 'Pedro Igor Silva' <psilva at redhat.com>
> > Cc: 'keycloak-user' <keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
> user
> >
> > Thanks Pedro ? that gives me something to try out!
> >
> >
> >
> > (Turns out I was using an old client and didn?t have that API available?
> time for
> > some upgrades!)
> >
> >
> >
> > From: Pedro Igor Silva <psilva at redhat.com>
> > Sent: 07 March 2019 13:36
> > To: roxspring at imapmail.org
> > Cc: keycloak-user <keycloak-user at lists.jboss.org>
> > Subject: Re: [keycloak-user] Listing the UMA resources accessible by a
> user
> >
> >
> >
> > Hi,
> >
> >
> >
> > We have an API that allows you to resources shared to a specific user if
> the
> > access was granted based on the standard UMA flow (using permission
> tickets).
> > The Keycloak AuthZ Java Client [1] provides access to this API.
> >
> >
> >
> > [1]
> > https://github.com/keycloak/keycloak/blob/76076cdb3c5d7f83084b6794707b1
> >
> 1e8b1a499c6/authz/client/src/main/java/org/keycloak/authorization/client/res
> > ource/PermissionResource.java#L197
> >
> >
> >
> > On Thu, Mar 7, 2019 at 10:21 AM <roxspring at imapmail.org
> > <mailto:roxspring at imapmail.org> > wrote:
> >
> > Hi folks,
> >
> >
> >
> > UMA seems to be a great solution to model fine grained permissions and
> allow
> > scenarios such as "Alice shares Folder X with Bob".
> >
> >
> >
> > Keycloak seems to implement this well with APIs for the resource server
> to ask
> > "Given [User] and [Folder X], can the user do [Scope]?" and provide
> answers for
> > both Alice and Bob based on some policy.
> >
> >
> >
> > Where I'm struggling is that our application also needs to provide
> answer "Given
> > [User], which folders can they do [Scope] to?" and I'm not clear how
> best to
> > achieve this with Keycloak.
> >
> >
> >
> > A.      Track which folders a user owns or can access and answer the
> > question directly in the resource server, but that results in the
> resource server
> > having a rigid model of the authorization rules and loses the benefits of
> > Keycloak's flexible policies (or duplicates the policy which seems just
> as bad).
> > B.      Have the resource server chose some subset of all folders and ask
> > Keycloak to validate each resource, but that becomes very chatty and slow
> > when there are 1000s of resources to validate.
> > C.      Just ask Keycloak to validate all resources and just return those
> > the user can access, but that's also potentially slow with 1000s of
> resources to
> > validate and 100s accessible.
> >
> > a.      As above but with additional filtering by resource type to trim
> the
> > options.
> > b.      As above but with additional filtering by attributes (e.g. where
> > property:owner = "Alice")
> > c.      As above but with a full blown query language (e.g. "WHERE
> > type=Folder AND (property:owner=Alice OR property:sharedwith contains
> Alice)
> >
> > D.      .?
> >
> >
> >
> > I was expecting some variant of C to be the recommended way forward but I
> > can't find the relevant APIs (even without filtering). What's the best
> way to
> > model such a (presumably common) scenario?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Rob
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From psilva at redhat.com  Wed Mar 20 15:07:24 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 16:07:24 -0300
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
	<CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
	<CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>
Message-ID: <CAJrcDBf2QgQAy_K+Op7BBUV_+kupi6Y0guTtueqtWS8f6iV6YA@mail.gmail.com>

Are you using a "Claim to Role" identity mapper ? Are you mapping groups to
roles in the realm ?

Asking because, I think that this specific mapper is only removing roles in
case there is no claim in the token from the IdP. So roles are mapped and
granted only during the first login.


On Wed, Mar 20, 2019 at 12:53 PM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
wrote:

> They are identity provider mappers.
>
> We do see in the logs that groups being received from AD:
>
> {
>   "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
>   "amr": "[\"pwd\",\"mfa\"]",
>   "family_name": "Chaabouni",
>   "given_name": "Mehdi",
>   "ipaddr": "207.96.238.194",
>   "name": "Mehdi Chaabouni",
>   "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
>   "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
>   "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
>   "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
>   "unique_name": "mchaabouni at test.com",
>   "upn": "mchaabouni at test.com",
>   "uti": "ea2dC_nciUGsfUk4mr4SAQ",
>   "ver": "1.0",
>   "groups": [
>     "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
>   ]
> }
>
>
> The groups are mapped correctly the first time that the user is imported
> into keycloak.
>
>
> On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Your custom mappers are client mappers or identity provider mappers ? It
>> does not make sense an empty list of mappers if you have defined mappers to
>> your identity provider.
>>
>> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
>> mehdi.chaabouni at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I'm using Azure Active Directory to authenticate users and I have setup
>>> custom mappers to import roles (mapping groups from Active Directory to
>>> Keycloak roles).
>>> I'm pretty sure the scenario was not working before. There was a lot of
>>> development on the front-end application so we didn't notice the problem
>>> until we started using it.
>>> When the problem occurs for a user, he's still logged in to the
>>> application but all the features are disabled because he has no role (The
>>> assigned roles section in keycloak is empty).
>>>
>>> The logs I sent yesterday mention:
>>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>>> task-1) Token will not be stored for identity provider [microsoft]
>>>
>>> which is logged in the method
>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>>
>>> Going through that method, I found this piece of code:
>>>
>>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>>> if (mappers != null) {
>>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>>     for (IdentityProviderMapperModel mapper : mappers) {
>>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>>     }
>>> }
>>>
>>> That's why I suspect that the mappers are not triggered.
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Are you using a broker to authenticate your users ? Your setup is not
>>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>>> related.
>>>>
>>>> Can you confirm that this scenario was working before?
>>>>
>>>> By losing roles, you mean they are not within the access token?
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>>
>>>>
>>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> This is our Keycloak setup:
>>>>>
>>>>>    - Keycloak docker container 4.4.0.Final
>>>>>    - Azure Active Directory (mapping groups to roles)
>>>>>    - Keycloak client protocol: openid-connect
>>>>>    - 3 optional client scopes
>>>>
>>>>
>>>>>
>>>>>
>>>>> We noticed lately that users using the front-end application (angular)
>>>>> are
>>>>> losing all roles after the SSO idle session expires.
>>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>>> It seems that the Identity Provider Mappers are not triggered for some
>>>>> reason and I can't dig any deeper nothing much is logged in the method
>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>>
>>>>> Any ideas?
>>>>> How can I run Keycloak form source?
>>>>>
>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>

From psilva at redhat.com  Wed Mar 20 15:15:47 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 16:15:47 -0300
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAJrcDBf2QgQAy_K+Op7BBUV_+kupi6Y0guTtueqtWS8f6iV6YA@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
	<CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
	<CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>
	<CAJrcDBf2QgQAy_K+Op7BBUV_+kupi6Y0guTtueqtWS8f6iV6YA@mail.gmail.com>
Message-ID: <CAJrcDBcVJnmrdPdU1cDXB9KepX8ASRNSvTGA0DVPdoWKwmsKcA@mail.gmail.com>

Btw, just talked with Marek and he told me there is an issue for the
behaviour I mentioned https://issues.jboss.org/browse/KEYCLOAK-8690.

On Wed, Mar 20, 2019 at 4:07 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Are you using a "Claim to Role" identity mapper ? Are you mapping groups
> to roles in the realm ?
>
> Asking because, I think that this specific mapper is only removing roles
> in case there is no claim in the token from the IdP. So roles are mapped
> and granted only during the first login.
>
>
> On Wed, Mar 20, 2019 at 12:53 PM MEHDi CHAABOUNi <
> mehdi.chaabouni at gmail.com> wrote:
>
>> They are identity provider mappers.
>>
>> We do see in the logs that groups being received from AD:
>>
>> {
>>   "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
>>   "amr": "[\"pwd\",\"mfa\"]",
>>   "family_name": "Chaabouni",
>>   "given_name": "Mehdi",
>>   "ipaddr": "207.96.238.194",
>>   "name": "Mehdi Chaabouni",
>>   "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
>>   "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
>>   "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
>>   "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
>>   "unique_name": "mchaabouni at test.com",
>>   "upn": "mchaabouni at test.com",
>>   "uti": "ea2dC_nciUGsfUk4mr4SAQ",
>>   "ver": "1.0",
>>   "groups": [
>>     "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
>>   ]
>> }
>>
>>
>> The groups are mapped correctly the first time that the user is imported
>> into keycloak.
>>
>>
>> On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Your custom mappers are client mappers or identity provider mappers ? It
>>> does not make sense an empty list of mappers if you have defined mappers to
>>> your identity provider.
>>>
>>> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
>>> mehdi.chaabouni at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm using Azure Active Directory to authenticate users and I have setup
>>>> custom mappers to import roles (mapping groups from Active Directory to
>>>> Keycloak roles).
>>>> I'm pretty sure the scenario was not working before. There was a lot of
>>>> development on the front-end application so we didn't notice the problem
>>>> until we started using it.
>>>> When the problem occurs for a user, he's still logged in to the
>>>> application but all the features are disabled because he has no role (The
>>>> assigned roles section in keycloak is empty).
>>>>
>>>> The logs I sent yesterday mention:
>>>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>>>> task-1) Token will not be stored for identity provider [microsoft]
>>>>
>>>> which is logged in the method
>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>>>
>>>> Going through that method, I found this piece of code:
>>>>
>>>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>>>> if (mappers != null) {
>>>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>>>     for (IdentityProviderMapperModel mapper : mappers) {
>>>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>>>     }
>>>> }
>>>>
>>>> That's why I suspect that the mappers are not triggered.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Are you using a broker to authenticate your users ? Your setup is not
>>>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>>>> related.
>>>>>
>>>>> Can you confirm that this scenario was working before?
>>>>>
>>>>> By losing roles, you mean they are not within the access token?
>>>>>
>>>>> Regards.
>>>>> Pedro Igor
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> This is our Keycloak setup:
>>>>>>
>>>>>>    - Keycloak docker container 4.4.0.Final
>>>>>>    - Azure Active Directory (mapping groups to roles)
>>>>>>    - Keycloak client protocol: openid-connect
>>>>>>    - 3 optional client scopes
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> We noticed lately that users using the front-end application
>>>>>> (angular) are
>>>>>> losing all roles after the SSO idle session expires.
>>>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>>>> It seems that the Identity Provider Mappers are not triggered for some
>>>>>> reason and I can't dig any deeper nothing much is logged in the method
>>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>>>
>>>>>> Any ideas?
>>>>>> How can I run Keycloak form source?
>>>>>>
>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>

From mehdi.chaabouni at gmail.com  Wed Mar 20 15:25:27 2019
From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi)
Date: Wed, 20 Mar 2019 15:25:27 -0400
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAJrcDBcVJnmrdPdU1cDXB9KepX8ASRNSvTGA0DVPdoWKwmsKcA@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
	<CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
	<CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>
	<CAJrcDBf2QgQAy_K+Op7BBUV_+kupi6Y0guTtueqtWS8f6iV6YA@mail.gmail.com>
	<CAJrcDBcVJnmrdPdU1cDXB9KepX8ASRNSvTGA0DVPdoWKwmsKcA@mail.gmail.com>
Message-ID: <CAOiPCSE9rp6LdBGHK1Tu5jR2LjEUCm8WzwDQnMAX-SPah4BaOA@mail.gmail.com>

Yes, I'm using a "Claim to Role" identity mapper:

{
  "id": "8836ab75-fc4c-4c49-98bd-c3be177a539b",
  "name": "developer-mapper",
  "identityProviderAlias": "microsoft",
  "identityProviderMapper": "oidc-role-idp-mapper",
  "config": {
    "claim": "groups",
    "role": "admin",
    "claim.value": "fea349bb-4183-477b-b3bc-c489133b4546"
  }
}

Is there a workaround until the issue is fixed?
May be a "Post flow login"? (if it's useful, I'm not sure how to setup it)

Thanks Pedro!


On Wed, Mar 20, 2019 at 3:15 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Btw, just talked with Marek and he told me there is an issue for the
> behaviour I mentioned https://issues.jboss.org/browse/KEYCLOAK-8690.
>
> On Wed, Mar 20, 2019 at 4:07 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Are you using a "Claim to Role" identity mapper ? Are you mapping groups
>> to roles in the realm ?
>>
>> Asking because, I think that this specific mapper is only removing roles
>> in case there is no claim in the token from the IdP. So roles are mapped
>> and granted only during the first login.
>>
>>
>> On Wed, Mar 20, 2019 at 12:53 PM MEHDi CHAABOUNi <
>> mehdi.chaabouni at gmail.com> wrote:
>>
>>> They are identity provider mappers.
>>>
>>> We do see in the logs that groups being received from AD:
>>>
>>> {
>>>   "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
>>>   "amr": "[\"pwd\",\"mfa\"]",
>>>   "family_name": "Chaabouni",
>>>   "given_name": "Mehdi",
>>>   "ipaddr": "207.96.238.194",
>>>   "name": "Mehdi Chaabouni",
>>>   "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
>>>   "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
>>>   "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
>>>   "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
>>>   "unique_name": "mchaabouni at test.com",
>>>   "upn": "mchaabouni at test.com",
>>>   "uti": "ea2dC_nciUGsfUk4mr4SAQ",
>>>   "ver": "1.0",
>>>   "groups": [
>>>     "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
>>>   ]
>>> }
>>>
>>>
>>> The groups are mapped correctly the first time that the user is imported
>>> into keycloak.
>>>
>>>
>>> On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Your custom mappers are client mappers or identity provider mappers
>>>> ? It does not make sense an empty list of mappers if you have defined
>>>> mappers to your identity provider.
>>>>
>>>> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm using Azure Active Directory to authenticate users and I have
>>>>> setup custom mappers to import roles (mapping groups from Active Directory
>>>>> to Keycloak roles).
>>>>> I'm pretty sure the scenario was not working before. There was a lot
>>>>> of development on the front-end application so we didn't notice the problem
>>>>> until we started using it.
>>>>> When the problem occurs for a user, he's still logged in to the
>>>>> application but all the features are disabled because he has no role (The
>>>>> assigned roles section in keycloak is empty).
>>>>>
>>>>> The logs I sent yesterday mention:
>>>>> DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default
>>>>> task-1) Token will not be stored for identity provider [microsoft]
>>>>>
>>>>> which is logged in the method
>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>>>>
>>>>> Going through that method, I found this piece of code:
>>>>>
>>>>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>>>>> if (mappers != null) {
>>>>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>>>>     for (IdentityProviderMapperModel mapper : mappers) {
>>>>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>>>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>>>>     }
>>>>> }
>>>>>
>>>>> That's why I suspect that the mappers are not triggered.
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Are you using a broker to authenticate your users ? Your setup is not
>>>>>> clear if that is the case, so I'm not sure if the method you pointed out is
>>>>>> related.
>>>>>>
>>>>>> Can you confirm that this scenario was working before?
>>>>>>
>>>>>> By losing roles, you mean they are not within the access token?
>>>>>>
>>>>>> Regards.
>>>>>> Pedro Igor
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> This is our Keycloak setup:
>>>>>>>
>>>>>>>    - Keycloak docker container 4.4.0.Final
>>>>>>>    - Azure Active Directory (mapping groups to roles)
>>>>>>>    - Keycloak client protocol: openid-connect
>>>>>>>    - 3 optional client scopes
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We noticed lately that users using the front-end application
>>>>>>> (angular) are
>>>>>>> losing all roles after the SSO idle session expires.
>>>>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>>>>> It seems that the Identity Provider Mappers are not triggered for
>>>>>>> some
>>>>>>> reason and I can't dig any deeper nothing much is logged in the
>>>>>>> method
>>>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context).
>>>>>>>
>>>>>>> Any ideas?
>>>>>>> How can I run Keycloak form source?
>>>>>>>
>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>

From psilva at redhat.com  Wed Mar 20 16:03:59 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 20 Mar 2019 17:03:59 -0300
Subject: [keycloak-user] User roles deleted after SSO idle session
	expires
In-Reply-To: <CAOiPCSE9rp6LdBGHK1Tu5jR2LjEUCm8WzwDQnMAX-SPah4BaOA@mail.gmail.com>
References: <CAOiPCSH7zBtvQ_u6nFXO9mt2Yc0u5yDQR3=H4K8Fz-hv4yZpYw@mail.gmail.com>
	<CAJrcDBcHEyp6kz2O9-+4g+fcy1-81S3gBKFB1D-o2ojM2UYU9A@mail.gmail.com>
	<CAOiPCSH9VyakzT8_uVz8vG2L4Efd5O9xd47UPQrFO0A9Gu60pA@mail.gmail.com>
	<CAJrcDBfNQgQHSt4sak8KcseyH=-sVm5FgJP_9nXjss2YjsmdHQ@mail.gmail.com>
	<CAOiPCSHahgnXcsKgwCRyPALgz-kX2PBtagHOfkNy++uM8aFrWw@mail.gmail.com>
	<CAJrcDBf2QgQAy_K+Op7BBUV_+kupi6Y0guTtueqtWS8f6iV6YA@mail.gmail.com>
	<CAJrcDBcVJnmrdPdU1cDXB9KepX8ASRNSvTGA0DVPdoWKwmsKcA@mail.gmail.com>
	<CAOiPCSE9rp6LdBGHK1Tu5jR2LjEUCm8WzwDQnMAX-SPah4BaOA@mail.gmail.com>
Message-ID: <CAJrcDBfME7yG0FtB7+5MK1s2c5PUednyOW2Mi=xwGJny7yFoVQ@mail.gmail.com>

I don't know about any workaround. Please, watch that JIRA for updates or
additional queries about the status.

Thanks.

On Wed, Mar 20, 2019 at 4:25 PM MEHDi CHAABOUNi <mehdi.chaabouni at gmail.com>
wrote:

> Yes, I'm using a "Claim to Role" identity mapper:
>
> {
>   "id": "8836ab75-fc4c-4c49-98bd-c3be177a539b",
>   "name": "developer-mapper",
>   "identityProviderAlias": "microsoft",
>   "identityProviderMapper": "oidc-role-idp-mapper",
>   "config": {
>     "claim": "groups",
>     "role": "admin",
>     "claim.value": "fea349bb-4183-477b-b3bc-c489133b4546"
>   }
> }
>
> Is there a workaround until the issue is fixed?
> May be a "Post flow login"? (if it's useful, I'm not sure how to setup it)
>
> Thanks Pedro!
>
>
> On Wed, Mar 20, 2019 at 3:15 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Btw, just talked with Marek and he told me there is an issue for the
>> behaviour I mentioned https://issues.jboss.org/browse/KEYCLOAK-8690.
>>
>> On Wed, Mar 20, 2019 at 4:07 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Are you using a "Claim to Role" identity mapper ? Are you mapping groups
>>> to roles in the realm ?
>>>
>>> Asking because, I think that this specific mapper is only removing roles
>>> in case there is no claim in the token from the IdP. So roles are mapped
>>> and granted only during the first login.
>>>
>>>
>>> On Wed, Mar 20, 2019 at 12:53 PM MEHDi CHAABOUNi <
>>> mehdi.chaabouni at gmail.com> wrote:
>>>
>>>> They are identity provider mappers.
>>>>
>>>> We do see in the logs that groups being received from AD:
>>>>
>>>> {
>>>>   "aio": "AVQAq/8KAAAA8PGjXf4lVf/Ydo+0vf17iyg5aSofK2vDHlFc3kT2AJD7aEfowYNdsos5tGCOIcfpclqcEvJm3a/0q9vrOIqFISk5DIiSxsbgXaqOQnDLUjc=",
>>>>   "amr": "[\"pwd\",\"mfa\"]",
>>>>   "family_name": "Chaabouni",
>>>>   "given_name": "Mehdi",
>>>>   "ipaddr": "207.96.238.194",
>>>>   "name": "Mehdi Chaabouni",
>>>>   "oid": "cbb75a8f-09a4-441b-8652-4a13ddb22d1c",
>>>>   "onprem_sid": "S-1-5-21-808638481-369274112-3737512417-3656",
>>>>   "sub": "MxyEhfA1tiGU2xQ-L7w-CI59-7FS4ibR6BYT6pl6aTc",
>>>>   "tid": "aab561d6-005e-45d1-807a-d7f53dc07034",
>>>>   "unique_name": "mchaabouni at test.com",
>>>>   "upn": "mchaabouni at test.com",
>>>>   "uti": "ea2dC_nciUGsfUk4mr4SAQ",
>>>>   "ver": "1.0",
>>>>   "groups": [
>>>>     "[\"fea349bb-4183-477b-b3bc-c489133b4546\",\"882e10f9-3682-4a26-9938-b29084ef8135\"]"
>>>>   ]
>>>> }
>>>>
>>>>
>>>> The groups are mapped correctly the first time that the user is
>>>> imported into keycloak.
>>>>
>>>>
>>>> On Wed, Mar 20, 2019 at 10:42 AM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Your custom mappers are client mappers or identity provider mappers
>>>>> ? It does not make sense an empty list of mappers if you have defined
>>>>> mappers to your identity provider.
>>>>>
>>>>> On Wed, Mar 20, 2019 at 11:01 AM MEHDi CHAABOUNi <
>>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm using Azure Active Directory to authenticate users and I have
>>>>>> setup custom mappers to import roles (mapping groups from Active Directory
>>>>>> to Keycloak roles).
>>>>>> I'm pretty sure the scenario was not working before. There was a lot
>>>>>> of development on the front-end application so we didn't notice the problem
>>>>>> until we started using it.
>>>>>> When the problem occurs for a user, he's still logged in to the
>>>>>> application but all the features are disabled because he has no role (The
>>>>>> assigned roles section in keycloak is empty).
>>>>>>
>>>>>> The logs I sent yesterday mention:
>>>>>> DEBUG [org.keycloak.services.resources.IdentityBrokerService]
>>>>>> (default task-1) Token will not be stored for identity provider [microsoft]
>>>>>>
>>>>>> which is logged in the method
>>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext context)
>>>>>>
>>>>>> Going through that method, I found this piece of code:
>>>>>>
>>>>>> Set<IdentityProviderMapperModel> mappers = realmModel.getIdentityProviderMappersByAlias(context.getIdpConfig().getAlias());
>>>>>> if (mappers != null) {
>>>>>>     KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory();
>>>>>>     for (IdentityProviderMapperModel mapper : mappers) {
>>>>>>         IdentityProviderMapper target = (IdentityProviderMapper)sessionFactory.getProviderFactory(IdentityProviderMapper.class, mapper.getIdentityProviderMapper());
>>>>>>         target.preprocessFederatedIdentity(session, realmModel, mapper, context);
>>>>>>     }
>>>>>> }
>>>>>>
>>>>>> That's why I suspect that the mappers are not triggered.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 20, 2019 at 8:11 AM Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Are you using a broker to authenticate your users ? Your setup is
>>>>>>> not clear if that is the case, so I'm not sure if the method you pointed
>>>>>>> out is related.
>>>>>>>
>>>>>>> Can you confirm that this scenario was working before?
>>>>>>>
>>>>>>> By losing roles, you mean they are not within the access token?
>>>>>>>
>>>>>>> Regards.
>>>>>>> Pedro Igor
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Mar 19, 2019 at 9:16 AM MEHDi CHAABOUNi <
>>>>>>> mehdi.chaabouni at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> This is our Keycloak setup:
>>>>>>>>
>>>>>>>>    - Keycloak docker container 4.4.0.Final
>>>>>>>>    - Azure Active Directory (mapping groups to roles)
>>>>>>>>    - Keycloak client protocol: openid-connect
>>>>>>>>    - 3 optional client scopes
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> We noticed lately that users using the front-end application
>>>>>>>> (angular) are
>>>>>>>> losing all roles after the SSO idle session expires.
>>>>>>>> This behaviour is also seen in the 4.8.3.Final version.
>>>>>>>> It seems that the Identity Provider Mappers are not triggered for
>>>>>>>> some
>>>>>>>> reason and I can't dig any deeper nothing much is logged in the
>>>>>>>> method
>>>>>>>> IdentityBrokerService.authenticated(BrokeredIdentityContext
>>>>>>>> context).
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>> How can I run Keycloak form source?
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>

From sachindragh at gmail.com  Thu Mar 21 02:53:14 2019
From: sachindragh at gmail.com (Sachindra Dilhara)
Date: Thu, 21 Mar 2019 12:23:14 +0530
Subject: [keycloak-user] Cannot invoke custom endpoint added to keycloak
Message-ID: <CANPsb8uiVSRXecsuBe+h7aDxbWpuqZs7NjnKKNcsqcSDNJMUcQ@mail.gmail.com>

Hi all,

I want to add a custom endpoint to keycloak and I tried a sample given.
Following are the steps I took.

1. *pom.xml*
*<project xmlns="http://maven.apache.org/POM/4.0.0
<http://maven.apache.org/POM/4.0.0>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"*
*         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
<http://maven.apache.org/POM/4.0.0>
http://maven.apache.org/maven-v4_0_0.xsd
<http://maven.apache.org/maven-v4_0_0.xsd>">*
*    <name>Keycloak Custom REST Endpoint Example</name>*
*    <description/>*
*    <modelVersion>4.0.0</modelVersion>*

*    <artifactId>keycloak-custom-rest-endpoint</artifactId>*
*    <packaging>jar</packaging>*
*    <groupId>keycloak.example</groupId>*
*    <version>1.0.0</version>*

*    <properties>*
*        <maven.compiler.source>11</maven.compiler.source>*
*        <maven.compiler.target>11</maven.compiler.target>*
*    </properties>*

*    <dependencies>*
*        <dependency>*
*            <groupId>org.keycloak</groupId>*
*            <artifactId>keycloak-core</artifactId>*
*            <version>4.8.1.Final</version>*
*            <scope>provided</scope>*
*        </dependency>*
*        <dependency>*
*            <groupId>org.keycloak</groupId>*
*            <artifactId>keycloak-server-spi</artifactId>*
*            <version>4.8.1.Final</version>*
*            <scope>provided</scope>*
*        </dependency>*
*        <dependency>*
*            <groupId>org.keycloak</groupId>*
*            <artifactId>keycloak-server-spi-private</artifactId>*
*            <version>4.8.1.Final</version>*
*            <scope>provided</scope>*
*        </dependency>*
*        <dependency>*
*            <groupId>org.jboss.spec.javax.ws.rs
<http://org.jboss.spec.javax.ws.rs></groupId>*
*            <artifactId>jboss-jaxrs-api_2.1_spec</artifactId>*
*            <version>1.0.2.Final</version>*
*        </dependency>*
*    </dependencies>*

*    <build>*
*        <finalName>hello-rest-example</finalName>*
*        <plugins>*
*            <plugin>*
*                <groupId>org.apache.maven.plugins</groupId>*
*                <artifactId>maven-compiler-plugin</artifactId>*
*                <configuration>*
*                    <source>6</source>*
*                    <target>6</target>*
*                </configuration>*
*            </plugin>*
*        </plugins>*
*    </build>*
*</project>*

2. *Provider class*

*package org.keycloak.examples.rest;*

*import org.keycloak.models.KeycloakSession;*
*import org.keycloak.services.resource.RealmResourceProvider;*

*import javax.ws.rs.GET;*
*import javax.ws.rs.Path;*
*import javax.ws.rs.Produces;*

*/***
* * @author <a href="mailto:sthorger at redhat.com
<sthorger at redhat.com>">Stian Thorgersen</a>*
* */*
*public class HelloResourceProvider implements RealmResourceProvider {*

*    private KeycloakSession session;*

*    public HelloResourceProvider(KeycloakSession session) {*
*        this.session = session;*
*    }*

*    @Override*
*    public Object getResource() {*
*        return this;*
*    }*

*    @GET*
*    @Path("/customMessage1")*
*    @Produces("text/plain; charset=utf-8")*
*    public String get1() {*
*        String name = session.getContext().getRealm().getDisplayName();*
*        if (name == null) {*
*            name = session.getContext().getRealm().getName();*
*        }*
*        return "Hello " + name;*
*    }*

*    @GET*
*    @Path("/customMessage2")*
*    @Produces("text/plain; charset=utf-8")*
*    public String get2() {*
*        return "Hello custom message 2";*
*    }*

*    @Override*
*    public void close() {*
*    }*

*}*

3. *Provider factory class*

*package org.keycloak.examples.rest;*

*import org.keycloak.Config.Scope;*
*import org.keycloak.models.KeycloakSession;*
*import org.keycloak.models.KeycloakSessionFactory;*
*import org.keycloak.services.resource.RealmResourceProvider;*
*import org.keycloak.services.resource.RealmResourceProviderFactory;*

*/***
* * @author <a href="mailto:sthorger at redhat.com
<sthorger at redhat.com>">Stian Thorgersen</a>*
* */*
*public class HelloResourceProviderFactory implements
RealmResourceProviderFactory {*

*    public static final String ID = "hello";*

*    @Override*
*    public String getId() {*
*        return ID;*
*    }*

*    @Override*
*    public RealmResourceProvider create(KeycloakSession session) {*
*        return new HelloResourceProvider(session);*
*    }*

*    @Override*
*    public void init(Scope config) {*
*    }*

*    @Override*
*    public void postInit(KeycloakSessionFactory factory) {*
*    }*

*    @Override*
*    public void close() {*
*    }*

*}*

4. Added
*META-INF/services/org.keycloak.services.resource.RealmResourceProviderFactory*
file with below content.

*org.keycloak.examples.rest.HelloResourceProviderFactory*

5. Build a jar and dropped it in the
*{$Keycloak_home}/standalone/deployments* folder and started the server.

6. Using the management console I could see that the jar is deployed. (
http://localhost:9990/console/index.html#deployments)

7. Generated a token using *admin-cli* in *master* realm with *admin user*
credentials.

8. Used that token to invoke the get endpoints "
http://localhost:8080/auth/custommessage1" and "
http://localhost:8080/auth/custommessage2". But both the nedpoints returned
HTTP 404 Not Found.

I want to know the following.

1. Have I created and deployed the custom endpoint correctly?
2. Is the URLs used to invoke endpoints are correct or not?
3. Have I used the correct way to invoke the custom endpoint. (I mean using
the token generated from admin user in master) ?

-- 
Sachindra Dilhara

From slaskawi at redhat.com  Thu Mar 21 07:31:28 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 21 Mar 2019 12:31:28 +0100
Subject: [keycloak-user] Logging for X509 authentication flow
In-Reply-To: <BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>
References: <DM6PR06MB5403FB656C48D04C882B458FD5400@DM6PR06MB5403.namprd06.prod.outlook.com>
	<BN6PR07MB30734B1809A814AD5EDFB61ADA400@BN6PR07MB3073.namprd07.prod.outlook.com>
Message-ID: <CAA9R9O6FO5Cj9L=05NN51ZG7ErMdUH8eacq+FN0h_sBEoM07fw@mail.gmail.com>

>From your post, I'm not exactly sure what x509 Authenticator you're
referring to.

If we are talking about authentication Clients, than
`org.keycloak.authentication.authenticators.client.X509ClientAuthenticator`
category should be used. However, if we're considering Users, then you
should use `org.keycloak.authentication.authenticators.x509`.

Also, please make sure you configured logging handlers properly. If you
wish to observe the output on the console, please take a look at
`console-handler` XML element and change its from INFO to DEBUG. You should
find more information about configuring loggers on Wildfly related pages.

On Tue, Mar 19, 2019 at 6:43 PM Nalyvayko, Peter <pnalyvayko at agi.com> wrote:

> Hey Raymond,
>
> Edit standalone.xml and add the following configuration under <subsystem
> xmlns="urn:jboss:domain:logging:3.0">:
>
> <logger category="org.keycloak.authentication.authenticators.x509">
>                 <level name="TRACE"/>
>    </logger>
>       <logger category="org.keycloak.services.x509">
>                 <level name="TRACE"/>
>       </logger>
>
> You will have to restart the service. Hope this helps
>
> Cheers
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Page, Raymond
> (Techical Solutions )
> Sent: Tuesday, March 19, 2019 12:22 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Logging for X509 authentication flow
>
> I'm trying to get keycloak working with Wildfly authenticating clients
> directly by X.509 and then using the authentication flow in keycloak to
> translate that to a local user.
>
>
> Unfortunately, it's not working and I'm not getting useful logging out of
> keycloak to determine what's wrong with my configuration. To debug, I need
> to know that undertow is passing the certificate successfully to keycloak,
> that keycloak's X509-form authentication is receiving the proper identity,
> the identity extracted from the certificate for authentication comparison,
> what it's being compared to (is the CN or DN being regexed and is it being
> compared to the keycloak custom attribute that I specified). What I get
> from enabling debug logging that's not jboss modules loads is:
>
> 18:59:38,702 WARN  [org.keycloak.events] (default task-1)
> type=LOGIN_ERROR, realmId=TEST, clientId=https://auth.test.local,
> userId=null, ipAddress=192.168.0.100, error=client_not_found
>
>
> Can someone provide details on how to get debug logging for undertow and
> the X509-form-config authentication?
>
>
> --
> Raymond Page, CTR (US)
> Automation Engineer, UoT
> TIS CTR to Booz | Allen | Hamilton
> page_raymond at ne.bah.com
> raymond.c.page15.ctr at mail.mil
> C: (321) 549-7243<tel:(321)+549-7243>
> W: (703) 679-8618<tel:(703)+679-8618>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rfechete at grid-applications.com  Thu Mar 21 07:43:26 2019
From: rfechete at grid-applications.com (Raul Fechete)
Date: Thu, 21 Mar 2019 11:43:26 +0000
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces
	behind KC Adapter)
Message-ID: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>

Hello,

I'm trying to build what should be a trivial setup, but I'm having trouble getting to work properly.

I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java Adapter. The initial login flow works perfectly fine (browser asks for website, adapter intercepts and redirects to KC, user logs in with KC and is being redirected back to the website).

Now, the JSF application often uses POST requests. If the user has been logged out (e.g. in KC directly), clicking anywhere on the website triggers a POST request to the application, which is being intercepted by the KC Adapter and redirected (302) to KC. This would be fine, but the problem is, the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET, and the KC just returns 204 without any further information. I also noticed that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS call, even if there is nothing else in the request.

Is there any way to configure the handling of the OPTIONS requests in KC? Alternatively, is it possible to configure the adapter to send a 303 and thereby force the browser to perform a GET request? Or am I doing something conceptually wrong?

Any help would be appreciated!
Thank you very much!

Cheers, Raul

From vramik at redhat.com  Thu Mar 21 08:03:09 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 21 Mar 2019 13:03:09 +0100
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <1643686692.8175694.1553028218614@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
Message-ID: <92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>

Hello,

you can take a look at 
https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
for inspiration.

V.

On 3/19/19 9:43 PM, Andrew Meyer wrote:
> Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
> Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
> $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api --resources=/root/mysql-connector-java-5.1.47.jar
>
> Add the Database driver to the configuration.
> MySQL/MariaDB# sudo su -
> Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
>
> Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
> MySQL/MariaDB
> # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Thu Mar 21 08:11:18 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 21 Mar 2019 13:11:18 +0100
Subject: [keycloak-user] Keycloak server migration backward compatibility
In-Reply-To: <CAOKqsXFjm0957X4MFSRSYC_wNxsOSB_qQbSzAi1+-3+d+kySkg@mail.gmail.com>
References: <CAOKqsXFjm0957X4MFSRSYC_wNxsOSB_qQbSzAi1+-3+d+kySkg@mail.gmail.com>
Message-ID: <9653c68b-992f-5174-b966-2378f01c1ed0@redhat.com>

Hello,

have you checked the documentation for upgrading? 
https://www.keycloak.org/docs/latest/upgrading/index.html

btw. kecloak-server.json was deprecated in 2.2.0 if I remember correctly 
and the migration scripts should do the migration automatically. If it 
is not working for you maybe it could be a bug, in that case please open 
a new ticket to https://issues.jboss.org/projects/KEYCLOAK with steps to 
reproduce if possible, thanks.

On 3/19/19 10:08 PM, Abhijeet Deshpande wrote:
> Hi,
>
>
>
> I?m migrating keycloak version from 2.2.1.Final to Keycloak 4.4.0.Final,
> with an option for backward compatibility. i.e. a bearer token generated by
> UI application on Keycloak 2.2.1.Final, can be authenticated by Service on
> Keycloak 4.4.0.Final keycloak version
>
>
>
> Our application has Angular-UI (ssoadmin-ui) & SpringBoot-Services
> (ssoadmin-service).
>
>
>
> For my migration POC:
>
>     1. Installed Keycloak 4.4.0.Final version on my local, registered both
>     above mentioned clients  in new Keycloak version.
>     2. Modified the key  /src/config/keycloak.json file with latest keycloak
>     settings, below is the keycloak.json
>
> {
>
>      "realm": "Demo",
>
>      "auth-server-url": "http://localhost:8080/auth",
>
>      "ssl-required": "external",
>
>      "resource": "ssoadmin-ui",
>
>      "public-client": true,
>
>      "use-resource-role-mappings": true,
>
>      "confidential-port": 0
>
>    }
>
>     1. With these setting in Angular I?m making call to my service. Service
>     is running on localhost:8082
>     2. My service still points to old keycloak instance (KeyCloak
>     2.2.1.Final)
>
> Below are application.properties in service for keycloak.
>
>
>
> ####### Keycloak
>
> keycloak.realm=DEV_Ext
>
> keycloak.auth-server-url=https://kc-lower.****.com/auth
>
> keycloak.ssl-required=external
>
> keycloak.resource=ssoadmin-service
>
>
>
> this fails with below exceptions:
>
> o.k.a.BearerTokenRequestAuthenticator - Failed to verify token
> org.keycloak.common.VerificationException: Invalid token signature
>
>
>
> Is this the right approach ? and whether this is achievable ?
>
> For my application to have one client authenticating with 2.2.1Final
> version and another client to get this token validated against 4.4.0.Final
> version.
>
>
>
> Any pointers will be much appreciated. Please let me know if any
> clarifications/additional information needed. Also, if I make both of them
> in same version on keycloak the authentication works.
>
>
>
>
>
> Thanks
>
> Abhijeet
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pal at sentinel.no  Thu Mar 21 08:12:29 2019
From: pal at sentinel.no (=?utf-8?B?UMOlbCBGb3NzbW8=?=)
Date: Thu, 21 Mar 2019 12:12:29 +0000
Subject: [keycloak-user] How do you handle authorization and authentication
	in Microservices?
Message-ID: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>

At my company, we are building an application on top of microservices. We are struggling with deciding how to handle authorization and authentication. We are thinking of going down the path where we use OpenId Connect to authenticate the users, but when it comes to authorization, we need some advice.

Let me explain how to solution works: A user can have different roles in different departments, and the number of departments can exceed 200. In each department, the user can have multiple roles. We understand that the recommended way of handling roles is to put them in the token sent from the client to the server (JWT). But, we are worried that this will make the token payload too big. As far as I know, a browser can hold headers up to 5KB of data. In our case, this means around 50 departments with two roles (uncompressed).  The pros of doing it this way are that the user is authorized and authenticated when he/she enters the microservice. The cons are, as I mentioned, the large payload in the token.

We are also looking at a different option where we keep the JWT to a minimum (userid and departmentid) and query Keycloak for the user rights on every request (maybe add some caching mechanism with a short lifespan). This approach will generate a lot of request to the authorization server.

What I'm looking for is some advice/experience of how others have solved this. I'm happy to provide more information if needed.

To make it easier for you to give your advice, here are a short description of the two choices:
1) Use JWT to handle authentication and authorization?
2) Keep JWT light and make requests to the authorization server in every microservice?

Cheers,
Paul

From lists at bootc.boo.tc  Thu Mar 21 10:56:15 2019
From: lists at bootc.boo.tc (Chris Boot)
Date: Thu, 21 Mar 2019 14:56:15 +0000
Subject: [keycloak-user] Advice on setting up realms
Message-ID: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>

Hi folks,

I?ve been looking for an IdP solution for my employer for months and
have felt like I?ve been going round and round in circles, until I
finally gave Keycloak another try. It?s like a breath of fresh air! So
thanks folks.

Our Keycloak instance will be used to protect about a dozen
applications, things like our wiki, monitoring control panel, and so on.
We?ll have two different types of users who will need to use the IdP and
login to these applications: staff and partners.

Staff will need to login using LDAP federation and will be required to
use TOTP. They should not be able to use social providers to log in.
Staff will use their email address to login and all will use a single
RHS domain for their email addresses.

Partners will not have LDAP accounts, and should be able to opt-in to
use TOTP. They should ideally also be able to link social accounts (e.g.
Google or GitHub) to their existing records. Anyone not using our
corporate email domain, but who has an account, should be considered a
partner.

Some of our applications can only be configured with a single OIDC or
SAML provider, so Keycloak would need to handle both types of accounts
(e.g. staff / partner) from a single login interface.

I therefore have a few questions about how I might achieve such a setup:

- Can I make these two types of user coexist in a single realm, or do I
need to split it up?

- How can I enforce policies such as requiring TOTP for our staff?

- Can I prevent users from changing their email address and name in the
account console while still permitting password and authenticator changes?

Thanks in advance for any suggestions.

Cheers,
Chris

-- 
Chris Boot
bootc at boo.tc

From dv at glyphy.com  Thu Mar 21 11:33:42 2019
From: dv at glyphy.com (D V)
Date: Thu, 21 Mar 2019 11:33:42 -0400
Subject: [keycloak-user] Using remote-store within a single DC
Message-ID: <CAJL87rgb+CTiXOB1nvqno89sT+JzxTNiyENvtKZee2WYt4F6=A@mail.gmail.com>

Hi list,

I'm trying to run several instances of keycloak using a standalone-ha
configuration within the same datacenter. At the same time I'd like to be
able to offload both `sessions` and `clientSessions` caches to a remote
infinispan cluster within the same datacenter in order to minimize user
logouts when keycloak instances are restarted. Eventually, I plan to set up
a Cassandra store on the remote ISPN side to persist sessions. At the
moment, though, I can't even get Keycloak to start.

The configuration for the two caches in the keycloak config looks like this:

<replicated-cache name="sessions" statistics-enabled="true">
    <state-transfer timeout="600000" />
    <remote-store remote-servers="ispn-socket" passivation="false"
cache="sessions" shared="true" purge="false"/>
</replicated-cache>
<replicated-cache name="clientSessions" statistics-enabled="true">
    <state-transfer timeout="600000" />
    <remote-store remote-servers="ispn-socket" cache="clientSessions"
passivation="false" shared="true" purge="false"/>
</replicated-cache>

The remote cache container configuration:

<remote-cache-container name="ispn-remote"
default-remote-cluster="ispn-cluster">
    <remote-clusters>
        <remote-cluster name="ispn-cluster" socket-bindings="ispn-socket" />
    </remote-clusters>
</remote-cache-container>

The socket binding is:

<outbound-socket-binding name="ispn-socket">
    <remote-destination host="${env.ISPN_HOST:ispn}"
port="${env.ISPN_PORT:11222}" />
</outbound-socket-binding>

$ISPN_HOST points to a load balancer that's proxying each ISPN node in a
round-robin fashion.

On the remote Infinispan side I'm using a slightly modified version of
their clustered.xml configuration and have set up the cache-container as
follows:

<cache-container name="clustered" default-cache="default" statistics="true">
    <transport lock-timeout="3600000"/>
    <distributed-cache name="default"/>
    <replicated-cache name="sessions" statistics="true">
        <state-transfer timeout="3600000"/>
    </replicated-cache>
    <replicated-cache name="clientSessions" statistics="true">
        <state-transfer timeout="3600000"/>
    </replicated-cache>
</cache-container>

The ISPN nodes are clustered using a UDP-based JGroups stack. They form a
cluster successfully. I can add a cache entry manually with ispn-cli.sh on
one node and have it appear on another. Keycloak can connect to the remote
Infinispan cluster with hotrod. However, at start-up it seems to hang after
the following point in the logs:

...
ISPN004006: Server sent new topology view (id=9, age=0) containing 3
addresses: [10.39.32.74:11222, 10.39.32.73:11222, 10.39.32.72:11222]
WFLYCLINF0002: Started work cache from keycloak container
WFLYCLINF0002: Started sessions cache from keycloak container
WFLYCLINF0002: Started clientSessions cache from keycloak container
...
HHH000397: Using ASTQueryTranslatorFactory
Remote store configured for cache 'sessions'
Remote store configured for cache 'clientSessions'

There's a sleeping thread at this point:

"ServerService Thread Pool -- 59" #148 prio=5 os_prio=0
tid=0x00000000032e7800 nid=0xfc waiting on condition [0x00007f6d9928f000]
   java.lang.Thread.State: TIMED_WAITING (sleeping)
        at java.lang.Thread.sleep(Native Method)
        at
org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:36)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:317)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:306)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:298)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$500(InfinispanUserSessionProviderFactory.java:68)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.lambda$onEvent$0(InfinispanUserSessionProviderFactory.java:127)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1$$Lambda$1162/1971420018.run(Unknown
Source)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithTimeout(KeycloakModelUtils.java:268)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:121)
        at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:69)
        at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:174)
...
The code appears to be looking for a coordinator on the work cache, but
never finds one. Am I missing some configuration to achieve my goals, or is
this particular use case not supported?

Thanks for any help!
D

From jfherouard.almerys at gmail.com  Thu Mar 21 11:40:29 2019
From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=)
Date: Thu, 21 Mar 2019 16:40:29 +0100
Subject: [keycloak-user] Tooltip IdP mapper "Username Template Importer" as
 example "${ALIAS}.${CLAIM.sub}" but it does not work
Message-ID: <CAKWZXaGPCqxXQcrzTBz1441CvbnSRCvxexNp6eqy7LucsSkd4A@mail.gmail.com>

Hi,

When configuring an "Username Template Importer" as a mapper of an identity
provider, the tooltip says that it could be "${ALIAS}.${CLAIM.sub}" but
"sub" is not an accessible claim.

AbstractClaimMapper.getClaimValue() only looks into token.getOtherClaims(),
so only claims binded by @JsonAnySetter are accessible, not sub iss jti...

I patch it :
        Map<String, Object> jsonObject = token.getOtherClaims();
        jsonObject.put("jti", token.getId());
        jsonObject.put("sub", token.getSubject());
        jsonObject.put("iss", token.getIssuer());
        jsonObject.put("azp", token.getIssuedFor());
Because I need to be able to get these attributes.

Either the tooltip or the code has a bug ?

From orivat at janua.fr  Thu Mar 21 11:54:50 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Thu, 21 Mar 2019 16:54:50 +0100
Subject: [keycloak-user] Advice on setting up realms
In-Reply-To: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>
References: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>
Message-ID: <be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>

Hi Chris,


Couple of points:
1) >? Can I make these two types of user coexist in a single realm, or 
do I need to split it up?

-Authentication is on a per realm basis
For authentication you configure a corresponding authentication flow, by 
default for the entire realm.

With 4.X and, 5.0, you can override the default authentification flow, 
for specific client applications

If you want 2 different ways to authenticate (staff with 2FA, 
username/apssword + TOPTP ), and external with 1FA (username/password)
best is to have to different realms, withe one realm for staff an other 
for external people


2) > How can I enforce policies such as requiring TOTP for our staff?
You just have to indicate that TOTP is required in the realm staff 
suathentication flow


3) > Can I prevent users from changing their email address and name in 
the account console while still permitting password and authenticator 
changes?
At first glance, there seems no specific tuning for this, unless writing 
a specific custom plugin.


Vist also our web site for info about TOTP, and realms:
http://www.janua.fr/tag/technical-blog/


Don't hesitate to come back to us if you need any further help

Regards,

Olivier Rivat



<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>


Le 21/03/2019 ? 15:56, Chris Boot a ?crit?:
> Hi folks,
>
> I?ve been looking for an IdP solution for my employer for months and
> have felt like I?ve been going round and round in circles, until I
> finally gave Keycloak another try. It?s like a breath of fresh air! So
> thanks folks.
>
> Our Keycloak instance will be used to protect about a dozen
> applications, things like our wiki, monitoring control panel, and so on.
> We?ll have two different types of users who will need to use the IdP and
> login to these applications: staff and partners.
>
> Staff will need to login using LDAP federation and will be required to
> use TOTP. They should not be able to use social providers to log in.
> Staff will use their email address to login and all will use a single
> RHS domain for their email addresses.
>
> Partners will not have LDAP accounts, and should be able to opt-in to
> use TOTP. They should ideally also be able to link social accounts (e.g.
> Google or GitHub) to their existing records. Anyone not using our
> corporate email domain, but who has an account, should be considered a
> partner.
>
> Some of our applications can only be configured with a single OIDC or
> SAML provider, so Keycloak would need to handle both types of accounts
> (e.g. staff / partner) from a single login interface.
>
> I therefore have a few questions about how I might achieve such a setup:
>
> - Can I make these two types of user coexist in a single realm, or do I
> need to split it up?
>
> - How can I enforce policies such as requiring TOTP for our staff?
>
> - Can I prevent users from changing their email address and name in the
> account console while still permitting password and authenticator changes?
>
> Thanks in advance for any suggestions.
>
> Cheers,
> Chris
>
--

From Kevin.Fox at pnnl.gov  Thu Mar 21 12:03:24 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Thu, 21 Mar 2019 16:03:24 +0000
Subject: [keycloak-user] How do you handle authorization and
 authentication	in Microservices?
In-Reply-To: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>
References: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>
Message-ID: <1A3C52DFCD06494D8528644858247BF01C2DB815@EX10MBOX03.pnnl.gov>

Another option is to do some of that policy stuff with OPA https://www.openpolicyagent.org/

Thanks,
Kevin
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of P?l Fossmo [pal at sentinel.no]
Sent: Thursday, March 21, 2019 5:12 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] How do you handle authorization and authentication     in Microservices?

At my company, we are building an application on top of microservices. We are struggling with deciding how to handle authorization and authentication. We are thinking of going down the path where we use OpenId Connect to authenticate the users, but when it comes to authorization, we need some advice.

Let me explain how to solution works: A user can have different roles in different departments, and the number of departments can exceed 200. In each department, the user can have multiple roles. We understand that the recommended way of handling roles is to put them in the token sent from the client to the server (JWT). But, we are worried that this will make the token payload too big. As far as I know, a browser can hold headers up to 5KB of data. In our case, this means around 50 departments with two roles (uncompressed).  The pros of doing it this way are that the user is authorized and authenticated when he/she enters the microservice. The cons are, as I mentioned, the large payload in the token.

We are also looking at a different option where we keep the JWT to a minimum (userid and departmentid) and query Keycloak for the user rights on every request (maybe add some caching mechanism with a short lifespan). This approach will generate a lot of request to the authorization server.

What I'm looking for is some advice/experience of how others have solved this. I'm happy to provide more information if needed.

To make it easier for you to give your advice, here are a short description of the two choices:
1) Use JWT to handle authentication and authorization?
2) Keep JWT light and make requests to the authorization server in every microservice?

Cheers,
Paul
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From manuel.waltschek at prisma-solutions.at  Thu Mar 21 12:11:37 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Thu, 21 Mar 2019 16:11:37 +0000
Subject: [keycloak-user] SAML logout request document mapping fails
Message-ID: <28318f8548cd4dcc89124d933147b23a@EXMBX24.SFP-Net.skyfillers.local>

Hello,

I am using keycloak for identity brokering with wildfly. There are some Problems I experience with the logout. First: a call to HttpRequest.logout() does not trigger anything. I need to redirect to myurl?GLO=true too to actually do a logout. Maybe the documentation is wrong?

The one thing that is even worse is that I can't do IdP initiated logout, since the document-object mapping does not work. It does not decrypt the cipher value and therefore every value is null, resulting in a NPE in org.keycloak.broker.saml.SAMLEndpoint.Binding.logoutRequest(LogoutRequestType, String) line 282.

Im using wildfly10 and keycloak 4.8.3.Final. Please do not ignore me again, since this is blocking us for a long time now. I really need someone figuring that one out.

Thanks and regards,


[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190321/ea7b11b1/attachment-0001.png 

From sblanc at redhat.com  Thu Mar 21 12:14:13 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 17:14:13 +0100
Subject: [keycloak-user] Advice on setting up realms
In-Reply-To: <be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>
References: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>
	<be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>
Message-ID: <CAMZCGg9Wi+Y4oCc1KQwM9UjqBRKe6P_LB_wJhpkYi=AmAnmidg@mail.gmail.com>

On Thu, Mar 21, 2019 at 4:58 PM Olivier Rivat <orivat at janua.fr> wrote:

> Hi Chris,
>
>
> Couple of points:
> 1) >  Can I make these two types of user coexist in a single realm, or
> do I need to split it up?
>
> -Authentication is on a per realm basis
> For authentication you configure a corresponding authentication flow, by
> default for the entire realm.
>
> With 4.X and, 5.0, you can override the default authentification flow,
> for specific client applications
>
> If you want 2 different ways to authenticate (staff with 2FA,
> username/apssword + TOPTP ), and external with 1FA (username/password)
> best is to have to different realms, withe one realm for staff an other
> for external people
>
Unless staff and partner do not access the same clients, in this case you
can override the auth flow as Olivier said before

>
>
> 2) > How can I enforce policies such as requiring TOTP for our staff?
> You just have to indicate that TOTP is required in the realm staff
> suathentication flow
>
same remark as in 1)

>
>
> 3) > Can I prevent users from changing their email address and name in
> the account console while still permitting password and authenticator
> changes?
> At first glance, there seems no specific tuning for this, unless writing
> a specific custom plugin.
> In the "required Actions" of your auth flow, "Update Profile" is enabled
> by default , if you disable it they won't be able to change their profile
> but still able to configure OTP and change their password.
>
> Vist also our web site for info about TOTP, and realms:
> http://www.janua.fr/tag/technical-blog/
>
>
> Don't hesitate to come back to us if you need any further help
>
> Regards,
>
> Olivier Rivat
>
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> Le 21/03/2019 ? 15:56, Chris Boot a ?crit :
> > Hi folks,
> >
> > I?ve been looking for an IdP solution for my employer for months and
> > have felt like I?ve been going round and round in circles, until I
> > finally gave Keycloak another try. It?s like a breath of fresh air! So
> > thanks folks.
> >
> > Our Keycloak instance will be used to protect about a dozen
> > applications, things like our wiki, monitoring control panel, and so on.
> > We?ll have two different types of users who will need to use the IdP and
> > login to these applications: staff and partners.
> >
> > Staff will need to login using LDAP federation and will be required to
> > use TOTP. They should not be able to use social providers to log in.
> > Staff will use their email address to login and all will use a single
> > RHS domain for their email addresses.
> >
> > Partners will not have LDAP accounts, and should be able to opt-in to
> > use TOTP. They should ideally also be able to link social accounts (e.g.
> > Google or GitHub) to their existing records. Anyone not using our
> > corporate email domain, but who has an account, should be considered a
> > partner.
> >
> > Some of our applications can only be configured with a single OIDC or
> > SAML provider, so Keycloak would need to handle both types of accounts
> > (e.g. staff / partner) from a single login interface.
> >
> > I therefore have a few questions about how I might achieve such a setup:
> >
> > - Can I make these two types of user coexist in a single realm, or do I
> > need to split it up?
> >
> > - How can I enforce policies such as requiring TOTP for our staff?
> >
> > - Can I prevent users from changing their email address and name in the
> > account console while still permitting password and authenticator
> changes?
> >
> > Thanks in advance for any suggestions.
> >
> > Cheers,
> > Chris
> >
> --
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ssilvert at redhat.com  Thu Mar 21 12:33:21 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 21 Mar 2019 12:33:21 -0400
Subject: [keycloak-user] Advice on setting up realms
In-Reply-To: <be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>
References: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>
	<be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>
Message-ID: <804816bd-601d-0acf-7056-11d9192db79c@redhat.com>

On 3/21/2019 11:54 AM, Olivier Rivat wrote:
> Hi Chris,
>
>
> Couple of points:
> 1) >? Can I make these two types of user coexist in a single realm, or
> do I need to split it up?
>
> -Authentication is on a per realm basis
> For authentication you configure a corresponding authentication flow, by
> default for the entire realm.
>
> With 4.X and, 5.0, you can override the default authentification flow,
> for specific client applications
>
> If you want 2 different ways to authenticate (staff with 2FA,
> username/apssword + TOPTP ), and external with 1FA (username/password)
> best is to have to different realms, withe one realm for staff an other
> for external people
>
>
> 2) > How can I enforce policies such as requiring TOTP for our staff?
> You just have to indicate that TOTP is required in the realm staff
> suathentication flow
>
>
> 3) > Can I prevent users from changing their email address and name in
> the account console while still permitting password and authenticator
> changes?
> At first glance, there seems no specific tuning for this, unless writing
> a specific custom plugin.
>
>
> Vist also our web site for info about TOTP, and realms:
> http://www.janua.fr/tag/technical-blog/
>
>
> Don't hesitate to come back to us if you need any further help
>
> Regards,
>
> Olivier Rivat
>
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>
> Le 21/03/2019 ? 15:56, Chris Boot a ?crit?:
>> Hi folks,
>>
>> I?ve been looking for an IdP solution for my employer for months and
>> have felt like I?ve been going round and round in circles, until I
>> finally gave Keycloak another try. It?s like a breath of fresh air! So
>> thanks folks.
>>
>> Our Keycloak instance will be used to protect about a dozen
>> applications, things like our wiki, monitoring control panel, and so on.
>> We?ll have two different types of users who will need to use the IdP and
>> login to these applications: staff and partners.
>>
>> Staff will need to login using LDAP federation and will be required to
>> use TOTP. They should not be able to use social providers to log in.
>> Staff will use their email address to login and all will use a single
>> RHS domain for their email addresses.
>>
>> Partners will not have LDAP accounts, and should be able to opt-in to
>> use TOTP. They should ideally also be able to link social accounts (e.g.
>> Google or GitHub) to their existing records. Anyone not using our
>> corporate email domain, but who has an account, should be considered a
>> partner.
>>
>> Some of our applications can only be configured with a single OIDC or
>> SAML provider, so Keycloak would need to handle both types of accounts
>> (e.g. staff / partner) from a single login interface.
>>
>> I therefore have a few questions about how I might achieve such a setup:
>>
>> - Can I make these two types of user coexist in a single realm, or do I
>> need to split it up?
>>
>> - How can I enforce policies such as requiring TOTP for our staff?
>>
>> - Can I prevent users from changing their email address and name in the
>> account console while still permitting password and authenticator changes?
You can make the email field readonly by changing the HTML in the 
account theme.? This does not prevent someone from manually sending a 
post to the server that would change it, but it might be enough for your 
purposes.
>>
>> Thanks in advance for any suggestions.
>>
>> Cheers,
>> Chris
>>
> --
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Thu Mar 21 12:38:04 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 17:38:04 +0100
Subject: [keycloak-user] How do you handle authorization and
 authentication in Microservices?
In-Reply-To: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>
References: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>
Message-ID: <CAMZCGg-XVZfcwc8-Zd768v-LzTHZ+WiszSh6=eb3AdDVc8-pcg@mail.gmail.com>

Hi,

Have you considered using a RPT ?
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_rpt_overview

Basically it's an access token that contains also the authz permissions and
one permission could contains all the required roles   (
https://www.keycloak.org/docs/latest/authorization_services/index.html#_policy_rbac
)

Then, in your client you remove the client scope "roles" so that their are
not added to your token and you end up with a really small token. The
service receiving the RPT token will be able  to check "offline" if the
token has the permission (the service will retrieve at startup all the
permissions).



On Thu, Mar 21, 2019 at 1:15 PM P?l Fossmo <pal at sentinel.no> wrote:

> At my company, we are building an application on top of microservices. We
> are struggling with deciding how to handle authorization and
> authentication. We are thinking of going down the path where we use OpenId
> Connect to authenticate the users, but when it comes to authorization, we
> need some advice.
>
> Let me explain how to solution works: A user can have different roles in
> different departments, and the number of departments can exceed 200. In
> each department, the user can have multiple roles. We understand that the
> recommended way of handling roles is to put them in the token sent from the
> client to the server (JWT). But, we are worried that this will make the
> token payload too big. As far as I know, a browser can hold headers up to
> 5KB of data. In our case, this means around 50 departments with two roles
> (uncompressed).  The pros of doing it this way are that the user is
> authorized and authenticated when he/she enters the microservice. The cons
> are, as I mentioned, the large payload in the token.
>
> We are also looking at a different option where we keep the JWT to a
> minimum (userid and departmentid) and query Keycloak for the user rights on
> every request (maybe add some caching mechanism with a short lifespan).
> This approach will generate a lot of request to the authorization server.
>
> What I'm looking for is some advice/experience of how others have solved
> this. I'm happy to provide more information if needed.
>
> To make it easier for you to give your advice, here are a short
> description of the two choices:
> 1) Use JWT to handle authentication and authorization?
> 2) Keep JWT light and make requests to the authorization server in every
> microservice?
>
> Cheers,
> Paul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 12:44:37 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 17:44:37 +0100
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS
 (JSF/Primefaces behind KC Adapter)
In-Reply-To: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
References: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
Message-ID: <CAMZCGg_wSmOVQfYhsouZdSCGJrfS4aRR9AF=-5ZURt7EC9Zgqg@mail.gmail.com>

Have you put a value for the Web Origin property in the client
configuration on the KC Console ?

On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <
rfechete at grid-applications.com> wrote:

> Hello,
>
> I'm trying to build what should be a trivial setup, but I'm having trouble
> getting to work properly.
>
> I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java
> Adapter. The initial login flow works perfectly fine (browser asks for
> website, adapter intercepts and redirects to KC, user logs in with KC and
> is being redirected back to the website).
>
> Now, the JSF application often uses POST requests. If the user has been
> logged out (e.g. in KC directly), clicking anywhere on the website triggers
> a POST request to the application, which is being intercepted by the KC
> Adapter and redirected (302) to KC. This would be fine, but the problem is,
> the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET,
> and the KC just returns 204 without any further information. I also noticed
> that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS
> call, even if there is nothing else in the request.
>
> Is there any way to configure the handling of the OPTIONS requests in KC?
> Alternatively, is it possible to configure the adapter to send a 303 and
> thereby force the browser to perform a GET request? Or am I doing something
> conceptually wrong?
>
> Any help would be appreciated!
> Thank you very much!
>
> Cheers, Raul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 12:49:21 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 17:49:21 +0100
Subject: [keycloak-user] Cannot invoke custom endpoint added to keycloak
In-Reply-To: <CANPsb8uiVSRXecsuBe+h7aDxbWpuqZs7NjnKKNcsqcSDNJMUcQ@mail.gmail.com>
References: <CANPsb8uiVSRXecsuBe+h7aDxbWpuqZs7NjnKKNcsqcSDNJMUcQ@mail.gmail.com>
Message-ID: <CAMZCGg-L6G-tcY8ViUJrjC14jitxsVO-H9gDkD5uB+TB1U7brA@mail.gmail.com>

Have you tried http://localhost:8080/auth/realm/master/custommessage1 ?

On Thu, Mar 21, 2019 at 7:55 AM Sachindra Dilhara <sachindragh at gmail.com>
wrote:

> Hi all,
>
> I want to add a custom endpoint to keycloak and I tried a sample given.
> Following are the steps I took.
>
> 1. *pom.xml*
> *<project xmlns="http://maven.apache.org/POM/4.0.0
> <http://maven.apache.org/POM/4.0.0>"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <http://www.w3.org/2001/XMLSchema-instance>"*
> *         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> <http://maven.apache.org/POM/4.0.0>
> http://maven.apache.org/maven-v4_0_0.xsd
> <http://maven.apache.org/maven-v4_0_0.xsd>">*
> *    <name>Keycloak Custom REST Endpoint Example</name>*
> *    <description/>*
> *    <modelVersion>4.0.0</modelVersion>*
>
> *    <artifactId>keycloak-custom-rest-endpoint</artifactId>*
> *    <packaging>jar</packaging>*
> *    <groupId>keycloak.example</groupId>*
> *    <version>1.0.0</version>*
>
> *    <properties>*
> *        <maven.compiler.source>11</maven.compiler.source>*
> *        <maven.compiler.target>11</maven.compiler.target>*
> *    </properties>*
>
> *    <dependencies>*
> *        <dependency>*
> *            <groupId>org.keycloak</groupId>*
> *            <artifactId>keycloak-core</artifactId>*
> *            <version>4.8.1.Final</version>*
> *            <scope>provided</scope>*
> *        </dependency>*
> *        <dependency>*
> *            <groupId>org.keycloak</groupId>*
> *            <artifactId>keycloak-server-spi</artifactId>*
> *            <version>4.8.1.Final</version>*
> *            <scope>provided</scope>*
> *        </dependency>*
> *        <dependency>*
> *            <groupId>org.keycloak</groupId>*
> *            <artifactId>keycloak-server-spi-private</artifactId>*
> *            <version>4.8.1.Final</version>*
> *            <scope>provided</scope>*
> *        </dependency>*
> *        <dependency>*
> *            <groupId>org.jboss.spec.javax.ws.rs
> <http://org.jboss.spec.javax.ws.rs></groupId>*
> *            <artifactId>jboss-jaxrs-api_2.1_spec</artifactId>*
> *            <version>1.0.2.Final</version>*
> *        </dependency>*
> *    </dependencies>*
>
> *    <build>*
> *        <finalName>hello-rest-example</finalName>*
> *        <plugins>*
> *            <plugin>*
> *                <groupId>org.apache.maven.plugins</groupId>*
> *                <artifactId>maven-compiler-plugin</artifactId>*
> *                <configuration>*
> *                    <source>6</source>*
> *                    <target>6</target>*
> *                </configuration>*
> *            </plugin>*
> *        </plugins>*
> *    </build>*
> *</project>*
>
> 2. *Provider class*
>
> *package org.keycloak.examples.rest;*
>
> *import org.keycloak.models.KeycloakSession;*
> *import org.keycloak.services.resource.RealmResourceProvider;*
>
> *import javax.ws.rs.GET;*
> *import javax.ws.rs.Path;*
> *import javax.ws.rs.Produces;*
>
> */***
> * * @author <a href="mailto:sthorger at redhat.com
> <sthorger at redhat.com>">Stian Thorgersen</a>*
> * */*
> *public class HelloResourceProvider implements RealmResourceProvider {*
>
> *    private KeycloakSession session;*
>
> *    public HelloResourceProvider(KeycloakSession session) {*
> *        this.session = session;*
> *    }*
>
> *    @Override*
> *    public Object getResource() {*
> *        return this;*
> *    }*
>
> *    @GET*
> *    @Path("/customMessage1")*
> *    @Produces("text/plain; charset=utf-8")*
> *    public String get1() {*
> *        String name = session.getContext().getRealm().getDisplayName();*
> *        if (name == null) {*
> *            name = session.getContext().getRealm().getName();*
> *        }*
> *        return "Hello " + name;*
> *    }*
>
> *    @GET*
> *    @Path("/customMessage2")*
> *    @Produces("text/plain; charset=utf-8")*
> *    public String get2() {*
> *        return "Hello custom message 2";*
> *    }*
>
> *    @Override*
> *    public void close() {*
> *    }*
>
> *}*
>
> 3. *Provider factory class*
>
> *package org.keycloak.examples.rest;*
>
> *import org.keycloak.Config.Scope;*
> *import org.keycloak.models.KeycloakSession;*
> *import org.keycloak.models.KeycloakSessionFactory;*
> *import org.keycloak.services.resource.RealmResourceProvider;*
> *import org.keycloak.services.resource.RealmResourceProviderFactory;*
>
> */***
> * * @author <a href="mailto:sthorger at redhat.com
> <sthorger at redhat.com>">Stian Thorgersen</a>*
> * */*
> *public class HelloResourceProviderFactory implements
> RealmResourceProviderFactory {*
>
> *    public static final String ID = "hello";*
>
> *    @Override*
> *    public String getId() {*
> *        return ID;*
> *    }*
>
> *    @Override*
> *    public RealmResourceProvider create(KeycloakSession session) {*
> *        return new HelloResourceProvider(session);*
> *    }*
>
> *    @Override*
> *    public void init(Scope config) {*
> *    }*
>
> *    @Override*
> *    public void postInit(KeycloakSessionFactory factory) {*
> *    }*
>
> *    @Override*
> *    public void close() {*
> *    }*
>
> *}*
>
> 4. Added
>
> *META-INF/services/org.keycloak.services.resource.RealmResourceProviderFactory*
> file with below content.
>
> *org.keycloak.examples.rest.HelloResourceProviderFactory*
>
> 5. Build a jar and dropped it in the
> *{$Keycloak_home}/standalone/deployments* folder and started the server.
>
> 6. Using the management console I could see that the jar is deployed. (
> http://localhost:9990/console/index.html#deployments)
>
> 7. Generated a token using *admin-cli* in *master* realm with *admin user*
> credentials.
>
> 8. Used that token to invoke the get endpoints "
> http://localhost:8080/auth/custommessage1" and "
> http://localhost:8080/auth/custommessage2". But both the nedpoints
> returned
> HTTP 404 Not Found.
>
> I want to know the following.
>
> 1. Have I created and deployed the custom endpoint correctly?
> 2. Is the URLs used to invoke endpoints are correct or not?
> 3. Have I used the correct way to invoke the custom endpoint. (I mean using
> the token generated from admin user in master) ?
>
> --
> Sachindra Dilhara
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 12:55:46 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 17:55:46 +0100
Subject: [keycloak-user] Javascript Adapter vs Node Adapter
In-Reply-To: <CANR-MMkMoYfN1RHG+x8eLnL1rdd03rLsMaVMJ3tMb_KQqNDSRw@mail.gmail.com>
References: <CANR-MMkMoYfN1RHG+x8eLnL1rdd03rLsMaVMJ3tMb_KQqNDSRw@mail.gmail.com>
Message-ID: <CAMZCGg9D4M2yEEa0o2F74eg43x9Cyy_YL1XiJ4gf3er9r__T0g@mail.gmail.com>

On Tue, Mar 19, 2019 at 11:48 AM Adnan Khan <akhan at an10.io> wrote:

> Hi folks,
>
> I'm a junior javascript developer and am looking into ways to implement SSO
> using keycloak. My applications are javascript with backend rest node and
> front-end vue. Before I go deeper into implementation I wanted to
> understand why is there a javascript adapter and a node adapter as well. I
> understand that the javascript adapter is client side and the node adapter
> is server side. How do you authenticate a resource(end-point) from a
> client-side adapter?
>
On your front-end app you use the keycloak.js (the Javascript adapter) to
performs the login (with the redirect etc ...) , Keycloak will return you
tokens. On of this token is the access token that you can use to call a
resource (by passing the Authorization header with value "Bearer
your_access_token" , probably secured with nodejs adapter in your case.

>
> Another thing that's confusing me is keycloak.js, what is it? how is it
> used and its pros and cons?
>
> Thank you in anticipation and for bearing with the relatively noob
> questions.
>
> Regards,
> Adnan A. Khan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 13:00:22 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:00:22 +0100
Subject: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
In-Reply-To: <001401d4dd77$873e70d0$95bb5270$@lyra-network.com>
References: <001401d4dd77$873e70d0$95bb5270$@lyra-network.com>
Message-ID: <CAMZCGg8Ge3s9yWB5Azy-Ya-tgSTZm-_q16A9zpyEsRuK+ZSGtA@mail.gmail.com>

Indeed, the keycloak-gatekeeper follows the sidecar pattern, each app that
you deploy, you also deploy an instance of the gatekeeper and there is no
way to associate more than one client to one instance of the gatekeeper.

On Mon, Mar 18, 2019 at 12:12 PM Sylvain Malnuit <
sylvain.malnuit at lyra-network.com> wrote:

> Hi,
>
>
>
> Using  Keycloak , it's possible to declare client like a service account .
> Client secret becomes API key.
>
> In my case, I'm going to generate 10 clients (10 API keys).
>
>
>
> I have tried to use Keycloak-gatekeeper to cover this use case but GK
> support only one client.
>
> In my case, I 'm understanding that I must create 10 instances of GT :(.
>
>
>
> Is there a way to associate  various client to one instance of GT
> (different paths .) ?
>
>
>
> Thxs for your help.
>
>
>
> Regards,
>
> Sylvain
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 13:01:31 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:01:31 +0100
Subject: [keycloak-user] keycloak-gatekeeper test with
 example-usage-and-configuration, but fail
In-Reply-To: <20190318082939epcms5p4b2ac33b8c54a86b54a28ef94831dd7e6@epcms5p4>
References: <CGME20190318082939epcms5p4b2ac33b8c54a86b54a28ef94831dd7e6@epcms5p4>
	<20190318082939epcms5p4b2ac33b8c54a86b54a28ef94831dd7e6@epcms5p4>
Message-ID: <CAMZCGg8J50skbAJMtdo2nBHDcsZiwey9kyVpv4SEy52rgk0P2A@mail.gmail.com>

Hi,
Did you forgot  to put the body of the email ?

On Mon, Mar 18, 2019 at 9:37 AM ??? <wugang.bi at samsung.com> wrote:

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Thu Mar 21 13:31:42 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:31:42 +0100
Subject: [keycloak-user] node adapter
In-Reply-To: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>
References: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>
Message-ID: <CAMZCGg_36oRwWQHV8yO9c618NMi1-CHc1X+0dcHRMOxgcu=Mfg@mail.gmail.com>

On Fri, Mar 15, 2019 at 2:33 PM Greet Robijns <greetrobijns at gmail.com>
wrote:

> Hi all,
>
> I followed the instructions on
>
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter
> to add a keycloak to my express server.
>
> my routes are handled by react on the client side.
>
> However I only get "access denied" and no redirection to the authentication
> page?
>
No redirect is correct since you flagged your nodejs app with "bearer-only".
How does the frontend send the request to the backend ? Are you using the
javascript adapter to obtain the token ?

>
> My configuration:
>
> var session = require("express-session");
> var Keycloak = require("keycloak-connect");
> connectWithRetry();
> var memoryStore = new session.MemoryStore();
> let kcConfig = {
>     realm: "Marketing Console",
>     url: "http://localhost:8080/auth",
>     clientId: "marketing_console",
>     "bearer-only": true,
>     "ssl-required": "none",
>     "enable-cors": true,
>     "public-client": true
> };
>
> app.use(
>     session({
>         secret: "mySecret",
>         resave: false,
>         saveUninitialized: true,
>         store: memoryStore
>     })
> );
>
> let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
>
> app.get("/", keycloak.protect());
>
>
> Kind Regards
> Greet Robijns
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 13:36:19 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:36:19 +0100
Subject: [keycloak-user] Restrict max number of users in a realm
In-Reply-To: <CANAVTmOmtF58YLSvWU_+KWSeeXN6_K=FwADk9CUUMST6D2c5MA@mail.gmail.com>
References: <CANAVTmOmtF58YLSvWU_+KWSeeXN6_K=FwADk9CUUMST6D2c5MA@mail.gmail.com>
Message-ID: <CAMZCGg8O++vrNeXXuperana+hhHv2WXf9fkj+hp3oo-7tRHRLA@mail.gmail.com>

Hi,
Out of the box, this is not something you configure in Keycloak.

On Fri, Mar 15, 2019 at 8:05 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> Is it possible to restrict number of users creation in a realm to say 500 ,
> 1000 etc?
> Where can I find the config for the same?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 13:40:48 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:40:48 +0100
Subject: [keycloak-user] jaxrs integration
In-Reply-To: <CA+4qEymn4xbfS3CC8Rs1XfuRHezU-S0CHZuSm-Nap089zzCzPg@mail.gmail.com>
References: <CA+4qEymn4xbfS3CC8Rs1XfuRHezU-S0CHZuSm-Nap089zzCzPg@mail.gmail.com>
Message-ID: <CAMZCGg-LVjAtYd64E9k2orR-b1mUgmv0VM6PFptvAgrcmY9+fw@mail.gmail.com>

On which Application(/Servlet) server do you deploy ? You might want to use
the Tomcat/Undertow/Jetty adapter or the Wildfly adapter That will work
fine to protect your jaxrs endpoints.

On Thu, Mar 14, 2019 at 5:23 PM mhd wrk <mhdwrkoffice at gmail.com> wrote:

> The project I'm working on uses JAXRS/Jersey for REST and Spring Boot for
> wiring (DI). As of now we have our own Authentication/Authorization
> components based on JAXRS filters. What's the best way to replace the
> in-house components with KeyCloak?
>
> BTW, looking at the adapters under oidc adapters
> <https://github.com/keycloak/keycloak/tree/master/adapters/oidc>, seems to
> me the *jaxrs-outh-client* and *spring-boot2* might be the right
> candidates. However the first one is deprecated and the second one relies
> on spring-web which we are not using.
>
> Thanks,
> Mohammad
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Thu Mar 21 13:42:34 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 21 Mar 2019 18:42:34 +0100
Subject: [keycloak-user] Retrieving user information through the admin
 client on springboot
In-Reply-To: <db108426-1f1b-6140-9bcc-f490ddc1e774@fleetroute.com>
References: <db108426-1f1b-6140-9bcc-f490ddc1e774@fleetroute.com>
Message-ID: <CAMZCGg_tjhLMk47N-VVCFGxqPNSCd9uhP9+wvOcD3jT3xyY0Yw@mail.gmail.com>

What for error do you get ? Any stacktrace that you can share with us ?

On Wed, Mar 13, 2019 at 10:15 AM Vikram <vikram.eswar at fleetroute.com> wrote:

> Hi all,
>
> Versions in use:
>
>      Springboot version : 2.1.3 FINAL
>
>      Keycloak version : 4.8.2
>
>      Springboot adapter version: 4.8.3 FINAL
>
>      Keycloak admin client 4.8.2 FINAL
>
> So I am trying to get all the users that have a role "customer" and
> belong to a group "group1".
>
> I am using the following code.
>
> RoleResource roleResource = realmResource.roles().get("customer");
> Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
> ArrayList<UserRepresentation> groupCustomers = new
> ArrayList<UserRepresentation>();
>
> for (UserRepresentation user: customers) {
>         if (user.getGroups().contains("group1") { //error
>             System.out.println("group customer: " + user.getUsername());
>             groupCustomers.add(user);
>          }
> }
>
> However, I get an error when I loop through the user representations to
> read the group names. I do not get the group and roles information. I
> get the username, first name and last name though.. Is it a permission
> issue ? How can I get around it ?
>
> Regards,
> Vikram
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From akhan at an10.io  Thu Mar 21 13:55:54 2019
From: akhan at an10.io (Adnan Khan)
Date: Thu, 21 Mar 2019 22:55:54 +0500
Subject: [keycloak-user] Javascript Adapter vs Node Adapter
In-Reply-To: <CAMZCGg9D4M2yEEa0o2F74eg43x9Cyy_YL1XiJ4gf3er9r__T0g@mail.gmail.com>
References: <CANR-MMkMoYfN1RHG+x8eLnL1rdd03rLsMaVMJ3tMb_KQqNDSRw@mail.gmail.com>
	<CAMZCGg9D4M2yEEa0o2F74eg43x9Cyy_YL1XiJ4gf3er9r__T0g@mail.gmail.com>
Message-ID: <CANR-MMk0Y-v3K9VL78OsbWPfbQMmk4JqPs91WJWPTdHKjFR6CA@mail.gmail.com>

Awesome, thank you! This was just what I was looking for. I was trying to
do that using keycloaks endpoints but I was having problems with CORS. I?ll
try using the adapter, hopefully that?ll solve the problem. Otherwise I?ll
get back on this thread ??

On Thu, 21 Mar 2019 at 9:55 pm, Sebastien Blanc <sblanc at redhat.com> wrote:

>
>
> On Tue, Mar 19, 2019 at 11:48 AM Adnan Khan <akhan at an10.io> wrote:
>
>> Hi folks,
>>
>> I'm a junior javascript developer and am looking into ways to implement
>> SSO
>> using keycloak. My applications are javascript with backend rest node and
>> front-end vue. Before I go deeper into implementation I wanted to
>> understand why is there a javascript adapter and a node adapter as well. I
>> understand that the javascript adapter is client side and the node adapter
>> is server side. How do you authenticate a resource(end-point) from a
>> client-side adapter?
>>
> On your front-end app you use the keycloak.js (the Javascript adapter) to
> performs the login (with the redirect etc ...) , Keycloak will return you
> tokens. On of this token is the access token that you can use to call a
> resource (by passing the Authorization header with value "Bearer
> your_access_token" , probably secured with nodejs adapter in your case.
>
>>
>> Another thing that's confusing me is keycloak.js, what is it? how is it
>> used and its pros and cons?
>>
>> Thank you in anticipation and for bearing with the relatively noob
>> questions.
>>
>> Regards,
>> Adnan A. Khan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From Page_Raymond at ne.bah.com  Thu Mar 21 14:54:39 2019
From: Page_Raymond at ne.bah.com (Page, Raymond (Techical Solutions ))
Date: Thu, 21 Mar 2019 18:54:39 +0000
Subject: [keycloak-user] X509 Client Authentication regex replacement
	possible?
Message-ID: <DM6PR06MB54030724266EF303D6A551DDD5420@DM6PR06MB5403.namprd06.prod.outlook.com>

To those that assisted me, thanks for the assistance yesterday, I finally got the logging that I needed enabled.


When using auth-x509-client-username-form, is it possible to specify a regex *replacement* instead of simply a regex sub-string match for the identity?

I'm mapping a numeric unique identifier in the client certificates to the UPN attribute in AD of the form '1234 at domain'. Since the numeric unique identifier (i.e. '1234') is not in a dedicated attribute in AD, I cannot simply extract the identifier from the certificate, I need to append the '@domain' portion for the UPN lookup.


If regex replacements aren't supported, where can I recommend this as a feature request?

Should I reopen this feature request with an enhancement request:
https://issues.jboss.org/browse/KEYCLOAK-4335


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com
raymond.c.page15.ctr at mail.mil
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>

From timurhan.s at gmail.com  Thu Mar 21 15:40:15 2019
From: timurhan.s at gmail.com (Timurhan Sungur)
Date: Thu, 21 Mar 2019 20:40:15 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in browser
	sercure?
Message-ID: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>

 <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
Hi,

I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.

Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.

I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.

My questions:

Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
Is there a way to mitigate the security threat and still store it in browser?
Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
Thank you for your assistance in advance!  


Regards,

Timur

From andrewm659 at yahoo.com  Thu Mar 21 23:09:47 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 22 Mar 2019 03:09:47 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
Message-ID: <1851999884.9610587.1553224187710@mail.yahoo.com>

 Yes, I took a look at this.? Followed what was in the examples and still am getting the following:
Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)Mar 21 22:03:54 saml01 standalone.sh: at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)Mar 21 22:03:54 saml01 standalone.sh: at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)Mar 21 22:03:54 saml01 standalone.sh: ... 8 moreMar 21 22:03:54 saml01 standalone.sh: Caused by: java.lang.RuntimeException: Failed to connect to databaseMar 21 22:03:54 saml01 standalone.sh: at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)Mar 21 22:03:54 saml01 standalone.sh: at java.lang.reflect.Constructor.newInstance(Constructor.java:423)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)Mar 21 22:03:54 saml01 standalone.sh: ... 31 moreMar 21 22:03:54 saml01 standalone.sh: Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException]Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417)Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417)Mar 21 22:03:54 saml01 standalone.sh: at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375)Mar 21 22:03:54 saml01 standalone.sh: ... 43 more


Here is the command that I am running.? I don't understand what I am doing wrong.
[root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar --dependencies=javax.api,javax.xml.bind.api'Module com.jdbc.mysql already exists at /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main[root at saml01 current]#?


I ran all of the commands as shown in the example and keycloak still fails to start.


    On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
 
 Hello,

you can take a look at 
https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
for inspiration.

V.

On 3/19/19 9:43 PM, Andrew Meyer wrote:
> Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
> Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
> $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api --resources=/root/mysql-connector-java-5.1.47.jar
>
> Add the Database driver to the configuration.
> MySQL/MariaDB# sudo su -
> Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
>
> Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
> MySQL/MariaDB
> # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
> $ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
  

From youcef.hilem at gmail.com  Fri Mar 22 02:11:40 2019
From: youcef.hilem at gmail.com (HILEM Youcef)
Date: Fri, 22 Mar 2019 07:11:40 +0100
Subject: [keycloak-user] Document how to generate a custom signed JWT when
	user is authenticated
Message-ID: <CALatr5KkYSO5w0D+vELEYaBeinyaFMgc4v2tKe+zhP7w7TQ8xg@mail.gmail.com>

Hi,

I do not find documentation that provides instructions on how to implement
a custom JWT for Keycloack.

My need is to create Custom Tokens for Google Firestore (
https://firebase.google.com/docs/auth/admin/create-custom-tokens).


Firebase gives you complete control over authentication by allowing you to
authenticate users or devices using secure JSON Web Tokens (JWTs). You
generate these tokens on your server, pass them back to a client device,
and then use them to authenticate via the signInWithCustomToken() method.

To achieve this, you must create a server endpoint that accepts sign-in
credentials?such as a username and password?and, if the credentials are
valid, returns a custom JWT. The custom JWT returned from your server can
then be used by a client device to authenticate with Firebase (iOS
<https://firebase.google.com/docs/auth/ios/custom-auth/>, Android
<https://firebase.google.com/docs/auth/android/custom-auth/>, web
<https://firebase.google.com/docs/auth/web/custom-auth/>). Once
authenticated, this identity will be used when accessing other Firebase
services, such as the Firebase Realtime Database and Cloud Storage.
Furthermore, the contents of the JWT will be available in the auth object
in yourFirebase Realtime Database Security Rules
<https://firebase.google.com/docs/database/security/> and the
request.auth object
in your Cloud Storage Security Rules
<https://firebase.google.com/docs/storage/security/>.

You can create a custom token with the Firebase Admin SDK, or you can use a
third-party JWT library if your server is written in a language which
Firebase does not natively support.


Thanks

Youcef HILEM

From sblanc at redhat.com  Fri Mar 22 03:48:23 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 22 Mar 2019 08:48:23 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
 browser sercure?
In-Reply-To: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
Message-ID: <CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>

I'm not sure to understand you usecase and anyway the access token lifespan
should always be really short (it's 1 minute by default in Keycloak) so I
don't really see the point of storing it in the local storage.

On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com>
wrote:

>  <
> https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure
> >
> Hi,
>
> I'm currently in the phase of integrating my web-site to OpenID Connect
> provided by KeyCloak. The web-site is not a single page application.
> However, different parts of the application are delivered by different web
> services.
> In each site delivered by these different web services, the user can call
> a standard REST API. This REST API can only be accessed with an access
> token received from KeyCloak. Thus, the user needs to log-in on the
> web-site using authorization code flow of OpenId Connect <
> https://openid.net/specs/openid-connect-core-1_0.html> offered by
> KeyCloak <https://www.keycloak.org/> and use the access token given by
> the token endpoint. This request with the access token can be either sent
> by browser or by one of the back-end services delivering the current
> web-site. Thus, we can either do a a client-side integration or server-side
> integration with the REST API.
>
> Unfortunately, the server-side integration is not that feasible due to the
> complex structure of back-end systems. I cannot even integrate most of web
> services with KeyCloak. Thus, I could store the access token in the browser
> in local storage <
> https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and
> access to the REST API directly from browser. However, I'm still unsure if
> storing the access token in browser will bring a security vulnerability.
>
> I could not see any official statement regarding this in the standards or
> in the KeyCloak documentation, so far. I have seen applications both
> storing it in the back-end and storing in the browser and I still can't
> tell the exact security benefit of using a session over an access token
> when we store it in the back-end. I do not intend to save refresh token in
> the browser and use only authorization code flow with the help of a
> back-end service.
>
> My questions:
>
> Is it a security vulnerability to store the access token in browser? E.g.,
> in local storage, in a cookie with HttpOnly, or both of them?
> Is there a way to mitigate the security threat and still store it in
> browser?
> Is there a best practice or guideline for storing the access tokens of
> OpenID Connect that you could refer to?
> What is the difference from the security perspective between storing the
> access token and session, if we can use the session to access the API over
> an intermediary service?
> Thank you for your assistance in advance!
>
>
> Regards,
>
> Timur
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Fri Mar 22 03:52:01 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 22 Mar 2019 08:52:01 +0100
Subject: [keycloak-user] Document how to generate a custom signed JWT
 when user is authenticated
In-Reply-To: <CALatr5KkYSO5w0D+vELEYaBeinyaFMgc4v2tKe+zhP7w7TQ8xg@mail.gmail.com>
References: <CALatr5KkYSO5w0D+vELEYaBeinyaFMgc4v2tKe+zhP7w7TQ8xg@mail.gmail.com>
Message-ID: <CAMZCGg88-hQqAa51L_mP1BEfS+=uAWzYer+RUZb-DDbKuOhXJw@mail.gmail.com>

Hi,

Looks like you want to use Keycloak as a JWT utility tool which it's not.
There are other libraries (listed in the firebase doc) that will do
perfectly the job. But maybe I did not understood your usecase.

Sebi


On Fri, Mar 22, 2019 at 7:14 AM HILEM Youcef <youcef.hilem at gmail.com> wrote:

> Hi,
>
> I do not find documentation that provides instructions on how to implement
> a custom JWT for Keycloack.
>
> My need is to create Custom Tokens for Google Firestore (
> https://firebase.google.com/docs/auth/admin/create-custom-tokens).
>
>
> Firebase gives you complete control over authentication by allowing you to
> authenticate users or devices using secure JSON Web Tokens (JWTs). You
> generate these tokens on your server, pass them back to a client device,
> and then use them to authenticate via the signInWithCustomToken() method.
>
> To achieve this, you must create a server endpoint that accepts sign-in
> credentials?such as a username and password?and, if the credentials are
> valid, returns a custom JWT. The custom JWT returned from your server can
> then be used by a client device to authenticate with Firebase (iOS
> <https://firebase.google.com/docs/auth/ios/custom-auth/>, Android
> <https://firebase.google.com/docs/auth/android/custom-auth/>, web
> <https://firebase.google.com/docs/auth/web/custom-auth/>). Once
> authenticated, this identity will be used when accessing other Firebase
> services, such as the Firebase Realtime Database and Cloud Storage.
> Furthermore, the contents of the JWT will be available in the auth object
> in yourFirebase Realtime Database Security Rules
> <https://firebase.google.com/docs/database/security/> and the
> request.auth object
> in your Cloud Storage Security Rules
> <https://firebase.google.com/docs/storage/security/>.
>
> You can create a custom token with the Firebase Admin SDK, or you can use a
> third-party JWT library if your server is written in a language which
> Firebase does not natively support.
>
>
> Thanks
>
> Youcef HILEM
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From timurhan.s at gmail.com  Fri Mar 22 04:02:31 2019
From: timurhan.s at gmail.com (Timurhan Sungur)
Date: Fri, 22 Mar 2019 09:02:31 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
	browser sercure?
In-Reply-To: <CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
	<CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
Message-ID: <3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>

Thank you for your answer. What is the reason behind keeping it short? In my use case, it is valid for 2 hours and I will store it somewhere during that period. 

Regards,

Timur

Sent from my mobile device.

> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
> 
> I'm not sure to understand you usecase and anyway the access token lifespan should always be really short (it's 1 minute by default in Keycloak) so I don't really see the point of storing it in the local storage.  
> 
>> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>  <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
>> Hi,
>> 
>> I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
>> In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.
>> 
>> Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.
>> 
>> I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.
>> 
>> My questions:
>> 
>> Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
>> Is there a way to mitigate the security threat and still store it in browser?
>> Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
>> What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
>> Thank you for your assistance in advance!  
>> 
>> 
>> Regards,
>> 
>> Timur
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

From greetrobijns at gmail.com  Fri Mar 22 04:10:23 2019
From: greetrobijns at gmail.com (Greet Robijns)
Date: Fri, 22 Mar 2019 09:10:23 +0100
Subject: [keycloak-user] node adapter
In-Reply-To: <CAMZCGg_36oRwWQHV8yO9c618NMi1-CHc1X+0dcHRMOxgcu=Mfg@mail.gmail.com>
References: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>
	<CAMZCGg_36oRwWQHV8yO9c618NMi1-CHc1X+0dcHRMOxgcu=Mfg@mail.gmail.com>
Message-ID: <CAC530nVoLOxRQmAnU=CCaFUKmORpE55da9YMZSC2-o53LKsGog@mail.gmail.com>

Hi

Thank you for the reply.

Request from frontend to backend are handled by Graphql (apollo)

I have removed
    "bearer-only": true
from my keycloak configuration and now it is redirecting to
http://localhost:4000/undefined/realms/Marketing%20Console/protocol/openid-connect/auth?c...
..

which is definitly a step forward!

If i replace the undefined with "auth" manually in the url my login page
comes up and login "works" it redirects again to .../undefined/... of course

I have not done anything yet with the token.


Kind Regards
Greet Robijns


Op do 21 mrt. 2019 om 18:31 schreef Sebastien Blanc <sblanc at redhat.com>:

>
>
> On Fri, Mar 15, 2019 at 2:33 PM Greet Robijns <greetrobijns at gmail.com>
> wrote:
>
>> Hi all,
>>
>> I followed the instructions on
>>
>> https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter
>> to add a keycloak to my express server.
>>
>> my routes are handled by react on the client side.
>>
>> However I only get "access denied" and no redirection to the
>> authentication
>> page?
>>
> No redirect is correct since you flagged your nodejs app with
> "bearer-only".
> How does the frontend send the request to the backend ? Are you using the
> javascript adapter to obtain the token ?
>
>>
>> My configuration:
>>
>> var session = require("express-session");
>> var Keycloak = require("keycloak-connect");
>> connectWithRetry();
>> var memoryStore = new session.MemoryStore();
>> let kcConfig = {
>>     realm: "Marketing Console",
>>     url: "http://localhost:8080/auth",
>>     clientId: "marketing_console",
>>     "bearer-only": true,
>>     "ssl-required": "none",
>>     "enable-cors": true,
>>     "public-client": true
>> };
>>
>> app.use(
>>     session({
>>         secret: "mySecret",
>>         resave: false,
>>         saveUninitialized: true,
>>         store: memoryStore
>>     })
>> );
>>
>> let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
>>
>> app.get("/", keycloak.protect());
>>
>>
>> Kind Regards
>> Greet Robijns
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From sblanc at redhat.com  Fri Mar 22 04:26:03 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 22 Mar 2019 09:26:03 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
 browser sercure?
In-Reply-To: <3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
	<CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
	<3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>
Message-ID: <CAMZCGg_7LgU-3A_vjzaoJ-C039ARSKPY4sbvShbn4Cu6-wk8Lw@mail.gmail.com>

Because your access token could be compromised and could be used to call
services that can verify offline this token.
https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens

On Fri, Mar 22, 2019 at 9:03 AM Timurhan Sungur <timurhan.s at gmail.com>
wrote:

> Thank you for your answer. What is the reason behind keeping it short? In
> my use case, it is valid for 2 hours and I will store it somewhere during
> that period.
>
> Regards,
>
> Timur
>
> Sent from my mobile device.
>
> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
>
> I'm not sure to understand you usecase and anyway the access token
> lifespan should always be really short (it's 1 minute by default in
> Keycloak) so I don't really see the point of storing it in the local
> storage.
>
> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com>
> wrote:
>
>>  <
>> https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure
>> >
>> Hi,
>>
>> I'm currently in the phase of integrating my web-site to OpenID Connect
>> provided by KeyCloak. The web-site is not a single page application.
>> However, different parts of the application are delivered by different web
>> services.
>> In each site delivered by these different web services, the user can call
>> a standard REST API. This REST API can only be accessed with an access
>> token received from KeyCloak. Thus, the user needs to log-in on the
>> web-site using authorization code flow of OpenId Connect <
>> https://openid.net/specs/openid-connect-core-1_0.html> offered by
>> KeyCloak <https://www.keycloak.org/> and use the access token given by
>> the token endpoint. This request with the access token can be either sent
>> by browser or by one of the back-end services delivering the current
>> web-site. Thus, we can either do a a client-side integration or server-side
>> integration with the REST API.
>>
>> Unfortunately, the server-side integration is not that feasible due to
>> the complex structure of back-end systems. I cannot even integrate most of
>> web services with KeyCloak. Thus, I could store the access token in the
>> browser in local storage <
>> https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage>
>> and access to the REST API directly from browser. However, I'm still unsure
>> if storing the access token in browser will bring a security vulnerability.
>>
>> I could not see any official statement regarding this in the standards or
>> in the KeyCloak documentation, so far. I have seen applications both
>> storing it in the back-end and storing in the browser and I still can't
>> tell the exact security benefit of using a session over an access token
>> when we store it in the back-end. I do not intend to save refresh token in
>> the browser and use only authorization code flow with the help of a
>> back-end service.
>>
>> My questions:
>>
>> Is it a security vulnerability to store the access token in browser?
>> E.g., in local storage, in a cookie with HttpOnly, or both of them?
>> Is there a way to mitigate the security threat and still store it in
>> browser?
>> Is there a best practice or guideline for storing the access tokens of
>> OpenID Connect that you could refer to?
>> What is the difference from the security perspective between storing the
>> access token and session, if we can use the session to access the API over
>> an intermediary service?
>> Thank you for your assistance in advance!
>>
>>
>> Regards,
>>
>> Timur
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From timurhan.s at gmail.com  Fri Mar 22 04:02:31 2019
From: timurhan.s at gmail.com (Timurhan Sungur)
Date: Fri, 22 Mar 2019 09:02:31 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
	browser sercure?
In-Reply-To: <CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
	<CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
Message-ID: <3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>

Thank you for your answer. What is the reason behind keeping it short? In my use case, it is valid for 2 hours and I will store it somewhere during that period. 

Regards,

Timur

Sent from my mobile device.

> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
> 
> I'm not sure to understand you usecase and anyway the access token lifespan should always be really short (it's 1 minute by default in Keycloak) so I don't really see the point of storing it in the local storage.  
> 
>> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>  <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
>> Hi,
>> 
>> I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
>> In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.
>> 
>> Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.
>> 
>> I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.
>> 
>> My questions:
>> 
>> Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
>> Is there a way to mitigate the security threat and still store it in browser?
>> Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
>> What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
>> Thank you for your assistance in advance!  
>> 
>> 
>> Regards,
>> 
>> Timur
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Fri Mar 22 04:38:49 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 22 Mar 2019 09:38:49 +0100
Subject: [keycloak-user] node adapter
In-Reply-To: <CAC530nVoLOxRQmAnU=CCaFUKmORpE55da9YMZSC2-o53LKsGog@mail.gmail.com>
References: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>
	<CAMZCGg_36oRwWQHV8yO9c618NMi1-CHc1X+0dcHRMOxgcu=Mfg@mail.gmail.com>
	<CAC530nVoLOxRQmAnU=CCaFUKmORpE55da9YMZSC2-o53LKsGog@mail.gmail.com>
Message-ID: <CAMZCGg-jS0HGMNy46NE8BXfYuvxbaiAXdmANT8jReRMSfFVytw@mail.gmail.com>

I see a typo in your config : it's "serverUrl" not "url".

On Fri, Mar 22, 2019 at 9:10 AM Greet Robijns <greetrobijns at gmail.com>
wrote:

> Hi
>
> Thank you for the reply.
>
> Request from frontend to backend are handled by Graphql (apollo)
>
> I have removed
>     "bearer-only": true
> from my keycloak configuration and now it is redirecting to
>
> http://localhost:4000/undefined/realms/Marketing%20Console/protocol/openid-connect/auth?c...
> ..
>
> which is definitly a step forward!
>
> If i replace the undefined with "auth" manually in the url my login page
> comes up and login "works" it redirects again to .../undefined/... of course
>
> I have not done anything yet with the token.
>
>
> Kind Regards
> Greet Robijns
>
>
> Op do 21 mrt. 2019 om 18:31 schreef Sebastien Blanc <sblanc at redhat.com>:
>
>>
>>
>> On Fri, Mar 15, 2019 at 2:33 PM Greet Robijns <greetrobijns at gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I followed the instructions on
>>>
>>> https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter
>>> to add a keycloak to my express server.
>>>
>>> my routes are handled by react on the client side.
>>>
>>> However I only get "access denied" and no redirection to the
>>> authentication
>>> page?
>>>
>> No redirect is correct since you flagged your nodejs app with
>> "bearer-only".
>> How does the frontend send the request to the backend ? Are you using the
>> javascript adapter to obtain the token ?
>>
>>>
>>> My configuration:
>>>
>>> var session = require("express-session");
>>> var Keycloak = require("keycloak-connect");
>>> connectWithRetry();
>>> var memoryStore = new session.MemoryStore();
>>> let kcConfig = {
>>>     realm: "Marketing Console",
>>>     url: "http://localhost:8080/auth",
>>>     clientId: "marketing_console",
>>>     "bearer-only": true,
>>>     "ssl-required": "none",
>>>     "enable-cors": true,
>>>     "public-client": true
>>> };
>>>
>>> app.use(
>>>     session({
>>>         secret: "mySecret",
>>>         resave: false,
>>>         saveUninitialized: true,
>>>         store: memoryStore
>>>     })
>>> );
>>>
>>> let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
>>>
>>> app.get("/", keycloak.protect());
>>>
>>>
>>> Kind Regards
>>> Greet Robijns
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From timurhan.s at gmail.com  Fri Mar 22 04:44:26 2019
From: timurhan.s at gmail.com (Timurhan Sungur)
Date: Fri, 22 Mar 2019 09:44:26 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
	browser sercure?
In-Reply-To: <CAMZCGg_7LgU-3A_vjzaoJ-C039ARSKPY4sbvShbn4Cu6-wk8Lw@mail.gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
	<CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
	<3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>
	<CAMZCGg_7LgU-3A_vjzaoJ-C039ARSKPY4sbvShbn4Cu6-wk8Lw@mail.gmail.com>
Message-ID: <31837B21-A898-4E66-9506-482D20EBD6CD@gmail.com>

We are communicating over HTTPS as stated in the link you have sent. Shortening the lifespan of the access token is not an option and does not make sense in our use case. 

Regards,

Timur

Sent from my mobile device.

> Am 22.03.2019 um 09:26 schrieb Sebastien Blanc <sblanc at redhat.com>:
> 
> Because your access token could be compromised and could be used to call services that can verify offline this token. https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens
> 
>> On Fri, Mar 22, 2019 at 9:03 AM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>> Thank you for your answer. What is the reason behind keeping it short? In my use case, it is valid for 2 hours and I will store it somewhere during that period. 
>> 
>> Regards,
>> 
>> Timur
>> 
>> Sent from my mobile device.
>> 
>>> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>> 
>>> I'm not sure to understand you usecase and anyway the access token lifespan should always be really short (it's 1 minute by default in Keycloak) so I don't really see the point of storing it in the local storage.  
>>> 
>>>> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>>>  <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
>>>> Hi,
>>>> 
>>>> I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
>>>> In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.
>>>> 
>>>> Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.
>>>> 
>>>> I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.
>>>> 
>>>> My questions:
>>>> 
>>>> Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
>>>> Is there a way to mitigate the security threat and still store it in browser?
>>>> Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
>>>> What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
>>>> Thank you for your assistance in advance!  
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Timur
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user

From greetrobijns at gmail.com  Fri Mar 22 04:44:59 2019
From: greetrobijns at gmail.com (Greet Robijns)
Date: Fri, 22 Mar 2019 09:44:59 +0100
Subject: [keycloak-user] node adapter
In-Reply-To: <CAMZCGg-jS0HGMNy46NE8BXfYuvxbaiAXdmANT8jReRMSfFVytw@mail.gmail.com>
References: <CAC530nXeaLQeVpJF_HT3EGWJyfRsvpvA-Jz9EiyWYvCP6eZOPQ@mail.gmail.com>
	<CAMZCGg_36oRwWQHV8yO9c618NMi1-CHc1X+0dcHRMOxgcu=Mfg@mail.gmail.com>
	<CAC530nVoLOxRQmAnU=CCaFUKmORpE55da9YMZSC2-o53LKsGog@mail.gmail.com>
	<CAMZCGg-jS0HGMNy46NE8BXfYuvxbaiAXdmANT8jReRMSfFVytw@mail.gmail.com>
Message-ID: <CAC530nV7BwMKesiqgTQmz6j7D=3yBE+SLXKCKHYGkX6+p4iL0w@mail.gmail.com>

Thanks! That is it.

Kind Regards,
Greet Robijns


Op vr 22 mrt. 2019 om 09:39 schreef Sebastien Blanc <sblanc at redhat.com>:

> I see a typo in your config : it's "serverUrl" not "url".
>
> On Fri, Mar 22, 2019 at 9:10 AM Greet Robijns <greetrobijns at gmail.com>
> wrote:
>
>> Hi
>>
>> Thank you for the reply.
>>
>> Request from frontend to backend are handled by Graphql (apollo)
>>
>> I have removed
>>     "bearer-only": true
>> from my keycloak configuration and now it is redirecting to
>>
>> http://localhost:4000/undefined/realms/Marketing%20Console/protocol/openid-connect/auth?c...
>> ..
>>
>> which is definitly a step forward!
>>
>> If i replace the undefined with "auth" manually in the url my login page
>> comes up and login "works" it redirects again to .../undefined/... of course
>>
>> I have not done anything yet with the token.
>>
>>
>> Kind Regards
>> Greet Robijns
>>
>>
>> Op do 21 mrt. 2019 om 18:31 schreef Sebastien Blanc <sblanc at redhat.com>:
>>
>>>
>>>
>>> On Fri, Mar 15, 2019 at 2:33 PM Greet Robijns <greetrobijns at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I followed the instructions on
>>>>
>>>> https://www.keycloak.org/docs/latest/securing_apps/index.html#_nodejs_adapter
>>>> to add a keycloak to my express server.
>>>>
>>>> my routes are handled by react on the client side.
>>>>
>>>> However I only get "access denied" and no redirection to the
>>>> authentication
>>>> page?
>>>>
>>> No redirect is correct since you flagged your nodejs app with
>>> "bearer-only".
>>> How does the frontend send the request to the backend ? Are you using
>>> the javascript adapter to obtain the token ?
>>>
>>>>
>>>> My configuration:
>>>>
>>>> var session = require("express-session");
>>>> var Keycloak = require("keycloak-connect");
>>>> connectWithRetry();
>>>> var memoryStore = new session.MemoryStore();
>>>> let kcConfig = {
>>>>     realm: "Marketing Console",
>>>>     url: "http://localhost:8080/auth",
>>>>     clientId: "marketing_console",
>>>>     "bearer-only": true,
>>>>     "ssl-required": "none",
>>>>     "enable-cors": true,
>>>>     "public-client": true
>>>> };
>>>>
>>>> app.use(
>>>>     session({
>>>>         secret: "mySecret",
>>>>         resave: false,
>>>>         saveUninitialized: true,
>>>>         store: memoryStore
>>>>     })
>>>> );
>>>>
>>>> let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
>>>>
>>>> app.get("/", keycloak.protect());
>>>>
>>>>
>>>> Kind Regards
>>>> Greet Robijns
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From orivat at janua.fr  Fri Mar 22 05:18:14 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Fri, 22 Mar 2019 10:18:14 +0100
Subject: [keycloak-user] OpenID Connect: Is storing access token in
 browser sercure?
In-Reply-To: <31837B21-A898-4E66-9506-482D20EBD6CD@gmail.com>
References: <C9A5B2AA-D8A9-48F0-89AA-DB616602296D@gmail.com>
	<CAMZCGg-5MXjyU4y21EuzCEUObQYGkP9KmC9xnYA1LuFrr8oQmQ@mail.gmail.com>
	<3762D4DF-7FE6-4770-AC54-45FD6F8BE435@gmail.com>
	<CAMZCGg_7LgU-3A_vjzaoJ-C039ARSKPY4sbvShbn4Cu6-wk8Lw@mail.gmail.com>
	<31837B21-A898-4E66-9506-482D20EBD6CD@gmail.com>
Message-ID: <d616dccd-c448-22d6-9d35-8c27b52a1c79@janua.fr>

Hi,

one of the security advantage of? Oauth2/openID protocol? RFC 
6749/openid connect? is? to avoid having tokens (authorisation code/ 
access_token) in the browser.
With authorisation code flow, your tokens are never exposed at browser 
level.

Even with https, if your tokens get stolen, anyone who can get hold of 
your tokens can have access to everything.



Visit also our web site for more info:
http://www.janua.fr/tag/technical-blog/

Don't hesitate to come back to us if you need any further help


Regards,

Olivier Rivat


Le 22/03/2019 ? 09:44, Timurhan Sungur a ?crit?:
> We are communicating over HTTPS as stated in the link you have sent. Shortening the lifespan of the access token is not an option and does not make sense in our use case.
>
> Regards,
>
> Timur
>
> Sent from my mobile device.
>
>> Am 22.03.2019 um 09:26 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>
>> Because your access token could be compromised and could be used to call services that can verify offline this token. https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens
>>
>>> On Fri, Mar 22, 2019 at 9:03 AM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>> Thank you for your answer. What is the reason behind keeping it short? In my use case, it is valid for 2 hours and I will store it somewhere during that period.
>>>
>>> Regards,
>>>
>>> Timur
>>>
>>> Sent from my mobile device.
>>>
>>>> Am 22.03.2019 um 08:48 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>>>
>>>> I'm not sure to understand you usecase and anyway the access token lifespan should always be really short (it's 1 minute by default in Keycloak) so I don't really see the point of storing it in the local storage.
>>>>
>>>>> On Thu, Mar 21, 2019 at 8:42 PM Timurhan Sungur <timurhan.s at gmail.com> wrote:
>>>>>   <https://security.stackexchange.com/questions/205837/openid-connect-is-storing-access-token-in-browser-sercure>
>>>>> Hi,
>>>>>
>>>>> I'm currently in the phase of integrating my web-site to OpenID Connect provided by KeyCloak. The web-site is not a single page application. However, different parts of the application are delivered by different web services.
>>>>> In each site delivered by these different web services, the user can call a standard REST API. This REST API can only be accessed with an access token received from KeyCloak. Thus, the user needs to log-in on the web-site using authorization code flow of OpenId Connect <https://openid.net/specs/openid-connect-core-1_0.html> offered by KeyCloak <https://www.keycloak.org/> and use the access token given by the token endpoint. This request with the access token can be either sent by browser or by one of the back-end services delivering the current web-site. Thus, we can either do a a client-side integration or server-side integration with the REST API.
>>>>>
>>>>> Unfortunately, the server-side integration is not that feasible due to the complex structure of back-end systems. I cannot even integrate most of web services with KeyCloak. Thus, I could store the access token in the browser in local storage <https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage> and access to the REST API directly from browser. However, I'm still unsure if storing the access token in browser will bring a security vulnerability.
>>>>>
>>>>> I could not see any official statement regarding this in the standards or in the KeyCloak documentation, so far. I have seen applications both storing it in the back-end and storing in the browser and I still can't tell the exact security benefit of using a session over an access token when we store it in the back-end. I do not intend to save refresh token in the browser and use only authorization code flow with the help of a back-end service.
>>>>>
>>>>> My questions:
>>>>>
>>>>> Is it a security vulnerability to store the access token in browser? E.g., in local storage, in a cookie with HttpOnly, or both of them?
>>>>> Is there a way to mitigate the security threat and still store it in browser?
>>>>> Is there a best practice or guideline for storing the access tokens of OpenID Connect that you could refer to?
>>>>> What is the difference from the security perspective between storing the access token and session, if we can use the session to access the API over an intermediary service?
>>>>> Thank you for your assistance in advance!
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Timur
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From psilva at redhat.com  Fri Mar 22 06:37:23 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 22 Mar 2019 11:37:23 +0100
Subject: [keycloak-user] How do you handle authorization and
 authentication in Microservices?
In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C2DB815@EX10MBOX03.pnnl.gov>
References: <c9efd6f6726c4914b5b6db4d7d0b28a0@EXCH2013.sentinel.local>
	<1A3C52DFCD06494D8528644858247BF01C2DB815@EX10MBOX03.pnnl.gov>
Message-ID: <CAJrcDBf0XRXv3mHP1mSYLHXJ4j8Q0B2rD+w6tFegRwOgk4DUzA@mail.gmail.com>

OPA is a great tool. And generic enough to cover different use cases.

But I'm wondering how it may become complex when you start to duplicate
your security aspects such as roles, groups, etc, in your policies. Besides
how it behaves when you need to integrate with identity sources such as
LDAP and databases to fetch information that you may need in your policies.

Back to your question, I would suggest you to take a look at Keycloak
Authorization Services feature set. It basically provides a PAP, PDP in
addition to policy enforcers for different platforms such as JEE, Spring
Boot, NodeJS and JS. It is fully based on token based authorization where
permissions are carried by tokens to their respective audiences. It is also
based on resource-based authorization where access control is based on the
resources (and their respective scopes) you are protecting. It is a more
flexible model since you don't need to rely on specific roles or groups but
the real thing you are protecting.

Em qui, 21 de mar de 2019 17:05, Fox, Kevin M <Kevin.Fox at pnnl.gov> escreveu:

> Another option is to do some of that policy stuff with OPA
> https://www.openpolicyagent.org/
>
> Thanks,
> Kevin
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org [
> keycloak-user-bounces at lists.jboss.org] on behalf of P?l Fossmo [
> pal at sentinel.no]
> Sent: Thursday, March 21, 2019 5:12 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] How do you handle authorization and
> authentication     in Microservices?
>
> At my company, we are building an application on top of microservices. We
> are struggling with deciding how to handle authorization and
> authentication. We are thinking of going down the path where we use OpenId
> Connect to authenticate the users, but when it comes to authorization, we
> need some advice.
>
> Let me explain how to solution works: A user can have different roles in
> different departments, and the number of departments can exceed 200. In
> each department, the user can have multiple roles. We understand that the
> recommended way of handling roles is to put them in the token sent from the
> client to the server (JWT). But, we are worried that this will make the
> token payload too big. As far as I know, a browser can hold headers up to
> 5KB of data. In our case, this means around 50 departments with two roles
> (uncompressed).  The pros of doing it this way are that the user is
> authorized and authenticated when he/she enters the microservice. The cons
> are, as I mentioned, the large payload in the token.
>
> We are also looking at a different option where we keep the JWT to a
> minimum (userid and departmentid) and query Keycloak for the user rights on
> every request (maybe add some caching mechanism with a short lifespan).
> This approach will generate a lot of request to the authorization server.
>
> What I'm looking for is some advice/experience of how others have solved
> this. I'm happy to provide more information if needed.
>
> To make it easier for you to give your advice, here are a short
> description of the two choices:
> 1) Use JWT to handle authentication and authorization?
> 2) Keep JWT light and make requests to the authorization server in every
> microservice?
>
> Cheers,
> Paul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vramik at redhat.com  Fri Mar 22 06:46:56 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 22 Mar 2019 11:46:56 +0100
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <1851999884.9610587.1553224187710@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
Message-ID: <e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>

On 3/22/19 4:09 AM, Andrew Meyer wrote:
> Yes, I took a look at this.? Followed what was in the examples and 
> still am getting the following:
>
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
> Mar 21 22:03:54 saml01 standalone.sh: ... 8 more
> Mar 21 22:03:54 saml01 standalone.sh: Caused by: 
> java.lang.RuntimeException: Failed to connect to database
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
> Mar 21 22:03:54 saml01 standalone.sh: ... 31 more
> Mar 21 22:03:54 saml01 standalone.sh: Caused by: 
> javax.naming.NameNotFoundException: datasources/KeycloakDS [Root 
> exception is java.lang.IllegalStateException]
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> javax.naming.InitialContext.lookup(InitialContext.java:417)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> javax.naming.InitialContext.lookup(InitialContext.java:417)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375)
> Mar 21 22:03:54 saml01 standalone.sh: ... 43 more
This means exactly what is says that KeycloakDS cannot be found, have 
you looked at standalone.xml?
>
>
>
> Here is the command that I am running.? I don't understand what I am 
> doing wrong.
>
> [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add 
> --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar 
> --dependencies=javax.api,javax.xml.bind.api'
> Module com.jdbc.mysql already exists at 
> /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main
> [root at saml01 current]#
>
>
>
> I ran all of the commands as shown in the example and keycloak still 
> fails to start.
>
>
>
> On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik 
> <vramik at redhat.com> wrote:
>
>
> Hello,
>
> you can take a look at
> https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
> <https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
> >
> for inspiration.
>
> V.
>
> On 3/19/19 9:43 PM, Andrew Meyer wrote:
> > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 
> or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This 
> is what I have in my notes.
> > Open the Jboss CLI and add the MySQL driver (you don't have to 
> connect with the Jboss websocket).
> > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for 
> MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql 
> --dependencies=javax.api,javax.transaction.api 
> --resources=/root/mysql-connector-java-5.1.47.jar
> >
> > Add the Database driver to the configuration.
> > MySQL/MariaDB# sudo su -
> > Is this the correct syntax for the driver?? Should it be com.mysql 
> or org.mysql??
> > $ sudo -u keycloak ./bin/jboss-cli.sh 
> 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
> >
> > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS 
> data source. (Don't delete the test database and change YOURPASS to 
> something random)
> > MySQL/MariaDB
> > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 
> 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
> > $ sudo -u keycloak ./bin/jboss-cli.sh 
> 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
> > $ sudo -u keycloak ./bin/jboss-cli.sh 
> 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From andrewm659 at yahoo.com  Fri Mar 22 10:08:06 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Fri, 22 Mar 2019 14:08:06 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
Message-ID: <1870809059.9786354.1553263686636@mail.yahoo.com>

 Yes.? Here is what I have in the standalone.xml:
? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0">? ? ? ? ? ? <datasources>? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">? ? ? ? ? ? ? ? ? ? <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>? ? ? ? ? ? ? ? ? ? <driver>h2</driver>? ? ? ? ? ? ? ? ? ? <security>? ? ? ? ? ? ? ? ? ? ? ? <user-name>sa</user-name>? ? ? ? ? ? ? ? ? ? ? ? <password>sa</password>? ? ? ? ? ? ? ? ? ? </security>? ? ? ? ? ? ? ? </datasource>? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">? ? ? ? ? ? ? ? ? ? <connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url>? ? ? ? ? ? ? ? ? ? <driver>keycloak</driver>? ? ? ? ? ? ? ? ? ? <pool>? ? ? ? ? ? ? ? ? ? ? ? <min-pool-size>10</min-pool-size>? ? ? ? ? ? ? ? ? ? ? ? <max-pool-size>50</max-pool-size>? ? ? ? ? ? ? ? ? ? ? ? <prefill>true</prefill>? ? ? ? ? ? ? ? ? ? </pool>? ? ? ? ? ? ? ? ? ? <security>? ? ? ? ? ? ? ? ? ? ? ? <user-name>keycloak</user-name>? ? ? ? ? ? ? ? ? ? ? ? <password>ChangeMe</password>? ? ? ? ? ? ? ? ? ? </security>? ? ? ? ? ? ? ? </datasource>? ? ? ? ? ? ? ? <drivers>? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2">? ? ? ? ? ? ? ? ? ? ? ? <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>? ? ? ? ? ? ? ? ? ? </driver>? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/>? ? ? ? ? ? ? ? </drivers>? ? ? ? ? ? </datasources>? ? ? ? </subsystem>? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">? ? ? ? ? ? <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>? ? ? ? </subsystem>? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0">? ? ? ? ? ? <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>


I think my connection url line my be incorrect...
    On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
 
  On 3/22/19 4:09 AM, Andrew Meyer wrote:
  
 
 Yes, I took a look at this.? Followed what was in the examples and still am getting the following: 
   Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atio.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) Mar 21 22:03:54 saml01 standalone.sh: ... 8 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: java.lang.RuntimeException: Failed to connect to database Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) Mar 21 22:03:54 saml01 standalone.sh: at java.lang.reflect.Constructor.newInstance(Constructor.java:423) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152) Mar 21 22:03:54 saml01 standalone.sh: ... 31 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375) Mar 21 22:03:54 saml01 standalone.sh: ... 43 more   This means exactly what is says that KeycloakDS cannot be found, have you looked at standalone.xml? 
  
   
  
  
  Here is the command that I am running.? I don't understand what I am doing wrong. 
   [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar --dependencies=javax.api,javax.xml.bind.api' Module com.jdbc.mysql already exists at /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main [root at saml01 current]#? 
  
  
  I ran all of the commands as shown in the example and keycloak still fails to start. 
  
  
      On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
   Hello,
 
 you can take a look at 
 https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
 for inspiration.
 
 V.
 
 On 3/19/19 9:43 PM, Andrew Meyer wrote:
 > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
 > Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
 > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api --resources=/root/mysql-connector-java-5.1.47.jar
 >
 > Add the Database driver to the configuration.
 > MySQL/MariaDB# sudo su -
 > Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
 >
 > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
 > MySQL/MariaDB
 > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool' 
 > _______________________________________________
 > keycloak-user mailing list
 > keycloak-user at lists.jboss.org
 > https://lists.jboss.org/mailman/listinfo/keycloak-user 
      
   

From firozpalapra at outlook.com  Fri Mar 22 11:50:58 2019
From: firozpalapra at outlook.com (Firoz Ahamed)
Date: Fri, 22 Mar 2019 15:50:58 +0000
Subject: [keycloak-user] Exclude a user with realm-management role from
 keycloak's password policy
In-Reply-To: <CAD_RmQ6d1Cnv-kKPeebsFhfefzsUniU8NTOo5ZCmqPnW7_Yetg@mail.gmail.com>
References: <1552654525112-0.post@n6.nabble.com>
	<HK0PR02MB3202049532C4789BBC135FB0CB440@HK0PR02MB3202.apcprd02.prod.outlook.com>
	<CAD_RmQ5PFo1y0rqcVu5E0fEZvDq8zWfpz6KnihVSycXMHGLcDw@mail.gmail.com>
	<HK0PR02MB32026072FBA76FF4D7C322DACB410@HK0PR02MB3202.apcprd02.prod.outlook.com>,
	<CAD_RmQ6d1Cnv-kKPeebsFhfefzsUniU8NTOo5ZCmqPnW7_Yetg@mail.gmail.com>
Message-ID: <HK0PR02MB320228E37524FDB5F3A1286BCB430@HK0PR02MB3202.apcprd02.prod.outlook.com>

Glad I could help !

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: Fateh <fateh.alchhabi at gmail.com>
Sent: Friday, March 22, 2019 3:08:13 PM
To: Firoz Ahamed
Subject: Re: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Hi Firoz

Thanks for the great help I follow the steps and it is working like a charm

Best regards
Fateh Alchhabi


On Wed, Mar 20, 2019 at 7:23 PM Firoz Ahamed <firozpalapra at outlook.com<mailto:firozpalapra at outlook.com>> wrote:
Hi Fateh,

You will not find the clients from the other realm in the master realms role mapping however you will find a special client with the name with the pattern <REALM_NAME>-realm where realm name is the realm you want this user to manage.

Assign the roles under this special client to the user. Once this user is assigned the realm management roles, it will be able to perform the admin calls on the other realm.

To perform the operations, what we do is:

  1.  Hit the token endpoint of the master realm with the admin-cli client passing the user name and password. This gives us an access token.
  2.  We use the access token which we obtained above to make the further admin calls by sending it as the bearer token.


We use this method in our java script clients and I am not sure if this would help with your java client.

Regards,

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

________________________________
From: Fateh <fateh.alchhabi at gmail.com<mailto:fateh.alchhabi at gmail.com>>
Sent: Tuesday, March 19, 2019 6:47:32 PM
To: Firoz Ahamed
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Hi Firoz

Thanks for the answer, but I could not achieve the expected result
First of all, I am using Keycloak-4.4.0.Final and I could not find  Role Mappings tab  for the client

Here the steps I followed :

  *   I went to Master realm create user sysAdmin then on the left from the user page >> Role Mapping >> Client Roles >> in the drop menu I found the client from the Master realm only but not from the other realms. So I assigned to  the master-realm all the roles inside
  *   in the other realm I have a client with those values

<secure-deployment name="WAR MODULE NAME.war">
    <realm>Nosg-Realm</realm>
    <auth-server-url>http://localhost:8180/auth</auth-server-url>
    <ssl-required>EXTERNAL</ssl-required>
    <resource>whereoil-rest-api</resource>
    <credential name="secret">4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx</credential>
    <use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>

  *   I am using Java client to fetch all user and roles list via this code
Keycloak keycloak = KeycloakBuilder.builder()
.serverUrl("http://localhost:8180/auth")
.realm("Nosg-Realm")
.grantType(OAuth2Constants.PASSWORD)
.clientId("whereoil-rest-api")
.clientSecret(" 4ab9fac1-xxxxxxx-xxxxxxx-xxxxxxxxxx  ")
.username("sysadmin") //master Realm user
.password("xxxxx")
.build();

RealmResource realmResource = keycloak.realm("Nosg-Realm");
realmResource.users().search("User from Nosg-Realm");


I hope this could clarify it more



Best regards
Fateh Alchhabi


On Fri, Mar 15, 2019 at 2:11 PM Firoz Ahamed <firozpalapra at outlook.com<mailto:firozpalapra at outlook.com>> wrote:

Hi,



You could create a new user in the master realm and assign the Realm management roles for the specific realm using the Role Mappings tab -> Client Role  . In order to manage the other realm, get the token for the newly created user from the master realm and then send that token in your API calls.



The ability to assign realm management for other realms is only available for users in the master realm.



Hope this helps.



Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10



________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Fateh <fateh.alchhabi at gmail.com<mailto:fateh.alchhabi at gmail.com>>
Sent: Friday, March 15, 2019 6:25:25 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Exclude a user with realm-management role from keycloak's password policy

Problem: I have a user with Client Roles realm-management in a realm called
xx which contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered

Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm


I would appreciate any Help or ideas?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From mandy.fung at tasktop.com  Fri Mar 22 13:41:55 2019
From: mandy.fung at tasktop.com (Mandy Fung)
Date: Fri, 22 Mar 2019 10:41:55 -0700
Subject: [keycloak-user] Availability of 5.0.0.Final?
Message-ID: <CAEH7JKz6-b8D_=ECaGU4AfnoL62YwhELfjUgWCjwMO3wHrpRhw@mail.gmail.com>

Hi,

I was just wondering if anyone knows when Keycloak 5.0.0.Final will be
available? I see that currently version 5.0.0 is released (without the
final tag), but there is a bug fix in Keycloak 5.0.0.Final that we would
like to consume.

Best regards,
Mandy

-- 


*Mandy Fung **|* Software Engineer 1 *| *Tasktop

*email: *mandy.fung at tasktop.com

From bruno at abstractj.org  Fri Mar 22 16:01:02 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 22 Mar 2019 17:01:02 -0300
Subject: [keycloak-user] Availability of 5.0.0.Final?
In-Reply-To: <CAEH7JKz6-b8D_=ECaGU4AfnoL62YwhELfjUgWCjwMO3wHrpRhw@mail.gmail.com>
References: <CAEH7JKz6-b8D_=ECaGU4AfnoL62YwhELfjUgWCjwMO3wHrpRhw@mail.gmail.com>
Message-ID: <CAM5SUC7+ytj8zpYhGaWA7dSzMdSvT=FBWtsWeug+O5KJq6Zs9A@mail.gmail.com>

Keycloak 5.0.0 is the official release. We dropped the suffix ".Final".

On Fri, Mar 22, 2019 at 2:42 PM Mandy Fung <mandy.fung at tasktop.com> wrote:
>
> Hi,
>
> I was just wondering if anyone knows when Keycloak 5.0.0.Final will be
> available? I see that currently version 5.0.0 is released (without the
> final tag), but there is a bug fix in Keycloak 5.0.0.Final that we would
> like to consume.
>
> Best regards,
> Mandy
>
> --
>
>
> *Mandy Fung **|* Software Engineer 1 *| *Tasktop
>
> *email: *mandy.fung at tasktop.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From youcef.hilem at gmail.com  Fri Mar 22 22:26:50 2019
From: youcef.hilem at gmail.com (HILEM Youcef)
Date: Sat, 23 Mar 2019 03:26:50 +0100
Subject: [keycloak-user] Document how to generate a custom signed JWT
 when user is authenticated
Message-ID: <CALatr5LaWD7w07CNTtbnAszSVS8bPMs54b+qckLgZNALAcwT2g@mail.gmail.com>

Hi,
You did not understand my use case.

OAuth 2.0 authorization servers provide support for four main grant types
according to the OAuth 2.0 specification. It also has the flexibility to
support any custom grant types.
I do not find documentation that provides instructions on how to implement
a custom grant type for Keycloack OAuth 2.0 authorization server and how to
extend the behavior of default grant types.

My clients are OAuth2 Clients.
I want use a custom grant type to generate a Google JWT Token.

I found this (https://github.com/looorent/keycloak-configurable-token-api) and
I think it looks like what I'm looking for.


Thanks
Youcef HILEM

From sblanc at redhat.com  Sat Mar 23 01:50:02 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 23 Mar 2019 06:50:02 +0100
Subject: [keycloak-user] Document how to generate a custom signed JWT
 when user is authenticated
In-Reply-To: <CALatr5LaWD7w07CNTtbnAszSVS8bPMs54b+qckLgZNALAcwT2g@mail.gmail.com>
References: <CALatr5LaWD7w07CNTtbnAszSVS8bPMs54b+qckLgZNALAcwT2g@mail.gmail.com>
Message-ID: <CAMZCGg8D3+Mv6V=p9wz4ZR_QSxL7P2A9FY-k5wQEGLOvf+TbmA@mail.gmail.com>

But this token will still be signed by Keycloak and I. The documentation
you pointed out says that the token must be signed by the firebase service
if I remember correctly. Can you add the firebase service as Identity
provider in Keycloak ? In this case you could maybe use the token exchange
?internal token to external token?

Le sam. 23 mars 2019 ? 03:34, HILEM Youcef <youcef.hilem at gmail.com> a
?crit :

> Hi,
> You did not understand my use case.
>
> OAuth 2.0 authorization servers provide support for four main grant types
> according to the OAuth 2.0 specification. It also has the flexibility to
> support any custom grant types.
> I do not find documentation that provides instructions on how to implement
> a custom grant type for Keycloack OAuth 2.0 authorization server and how to
> extend the behavior of default grant types.
>
> My clients are OAuth2 Clients.
> I want use a custom grant type to generate a Google JWT Token.
>
> I found this (https://github.com/looorent/keycloak-configurable-token-api)
> and
> I think it looks like what I'm looking for.
>
>
> Thanks
> Youcef HILEM
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From youcef.hilem at gmail.com  Sat Mar 23 05:06:26 2019
From: youcef.hilem at gmail.com (HILEM Youcef)
Date: Sat, 23 Mar 2019 10:06:26 +0100
Subject: [keycloak-user] Document how to generate a custom signed JWT
 when user is authenticated
In-Reply-To: <CAMZCGg8D3+Mv6V=p9wz4ZR_QSxL7P2A9FY-k5wQEGLOvf+TbmA@mail.gmail.com>
References: <CALatr5LaWD7w07CNTtbnAszSVS8bPMs54b+qckLgZNALAcwT2g@mail.gmail.com>
	<CAMZCGg8D3+Mv6V=p9wz4ZR_QSxL7P2A9FY-k5wQEGLOvf+TbmA@mail.gmail.com>
Message-ID: <CALatr5JDAh37vNOdM+VBU=OxH9mOqnju5uL_TJTe3J9AvnD1hw@mail.gmail.com>

Our keycloak backend is in Java language that have an official Firebase
Admin SDK
We create custom tokens with Java Firebase Admin SDK.

Yes, another option is to sign in Firebase using additional Identity
Providers (https://github.com/FirebaseExtended/custom-auth-samples).
But for keycloak I do not know yet how to do it.
I will see this example (
https://github.com/FirebaseExtended/custom-auth-samples/tree/master/kakao)
which seems to me well done.

But I prefer the first option with JWT.

Thanks
Youcef HILEM

Le sam. 23 mars 2019 ? 06:50, Sebastien Blanc <sblanc at redhat.com> a ?crit :

> But this token will still be signed by Keycloak and I. The documentation
> you pointed out says that the token must be signed by the firebase service
> if I remember correctly. Can you add the firebase service as Identity
> provider in Keycloak ? In this case you could maybe use the token exchange
> ?internal token to external token?
>
> Le sam. 23 mars 2019 ? 03:34, HILEM Youcef <youcef.hilem at gmail.com> a
> ?crit :
>
>> Hi,
>> You did not understand my use case.
>>
>> OAuth 2.0 authorization servers provide support for four main grant types
>> according to the OAuth 2.0 specification. It also has the flexibility to
>> support any custom grant types.
>> I do not find documentation that provides instructions on how to implement
>> a custom grant type for Keycloack OAuth 2.0 authorization server and how
>> to
>> extend the behavior of default grant types.
>>
>> My clients are OAuth2 Clients.
>> I want use a custom grant type to generate a Google JWT Token.
>>
>> I found this (https://github.com/looorent/keycloak-configurable-token-api)
>> and
>> I think it looks like what I'm looking for.
>>
>>
>> Thanks
>> Youcef HILEM
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From sirrishabh at gmail.com  Sat Mar 23 11:18:15 2019
From: sirrishabh at gmail.com (rishabh jain)
Date: Sat, 23 Mar 2019 20:48:15 +0530
Subject: [keycloak-user] Update Password from API
In-Reply-To: <CABqOkcJaJZpyB072zrrvAJg++rOD6nN3es_LSvsMhK7=TB6GEA@mail.gmail.com>
References: <CABqOkcJaJZpyB072zrrvAJg++rOD6nN3es_LSvsMhK7=TB6GEA@mail.gmail.com>
Message-ID: <CABqOkcL3aNPWk9hZPoZhHccLPf4td8jX9oDQpXcSBcdq_H8UKQ@mail.gmail.com>

Hi Team,

My requirement is to create a form where user can update his keycloak
password. Is there any API available which I could implement to update the
password?

Thanks and Regards
Rishabh

From tmescic at upchain.com  Sun Mar 24 07:50:18 2019
From: tmescic at upchain.com (Tihomir Mescic)
Date: Sun, 24 Mar 2019 12:50:18 +0100
Subject: [keycloak-user] How to secure JAX-WS SOAP services with Keycloak
Message-ID: <CACFy=qFh59moWCBoo4qUgKazaw0V7=X812McivR8y2xFmC8Y5g@mail.gmail.com>

Hi all,

I have some SOAP services running on WildFly 13. These services are
implemented by using the @javax.jws.WebService annotation, and are deployed
as JAR file containing the services and the EJBs with the backing
implementation. The services are currently unsecured (public). I also have
Keycloak 5.0 running on a different server.

What I want to achieve:
 - add Keycloak integration to my SOAP layer, so that every SOAP request is
validated - ie. JWT token that is sent in the Authorization header is
validated
- the validation is done offline (i.e. Keycloak REST endpoint for token
validation is not called every time)

I tried using the WildFly Keycloak adapter:
https://www.keycloak.org/docs/5.0/securing_apps/index.html#jboss-eap-wildfly-adapter

However, it looks like this adapter can only work with WAR deployments (I
have a JAR file and don't have the web.xml file at all).

I'm also aware that I could use a SOAP Interceptor and validate the token
online (by calling the REST endpoint on Keycloak), however, I'd like to
avoid this for performance reasons.

My question is:
1. Is it possible to achieve what I need using the WildFly keycloak adapter?
2. If not, what would be the preferred way to do ti?

Thanks in advance,
Tihomir

From katarzyna.sycz at eventival.com  Sun Mar 24 15:03:41 2019
From: katarzyna.sycz at eventival.com (Katarzyna Sycz)
Date: Sun, 24 Mar 2019 20:03:41 +0100
Subject: [keycloak-user] Resending multiple emails via Keycloak and Missing
 Brute Force Detection message
Message-ID: <CALyW5T0PAoPVu5UF7FutxW2dk3p-bnKOjum3Qc6g50BS8cKWuA@mail.gmail.com>

Hello,

We started using the Keycloak lately and we want to implement and adjust it
for our clients. However, we found two issues and I would like to ask you
for an answer. Unfortunately, I was not able to find a solution or
information in the docs.

   1. The issue concerns emails sent from Keycloak (for example, password
   reset, verification email) - now a user can keep clicking "Resend" link as
   many times as he wants. Are we able to limit it somehow to prevent spamming?
   2. Brute Force Detection - it seems to be working (user is blocked after
   5 attempts of inserting incorrect password as I see in the event log) but
   no message is shown, so a user can keep trying to log in because he is not
   informed he has been blocked. Can we somehow set an interface message for
   that?

I would appreciate any help.

Kind regards,
Katarzyna Sycz
-- 
[image: Eventival logo] <https://www.eventival.com/>
*Katarzyna Sycz*
Junior Software Developer
katarzyna.sycz at eventival.com
+420  <+420608632508>773 978 859
www.eventival.com

From kkcmadhu at yahoo.com  Mon Mar 25 00:55:15 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 25 Mar 2019 04:55:15 +0000 (UTC)
Subject: [keycloak-user] How to gracefully delete /clean up key-cloak
 with large number of realms
In-Reply-To: <1278154218.7023298.1552990813649@mail.yahoo.com>
References: <1278154218.7023298.1552990813649.ref@mail.yahoo.com>
	<1278154218.7023298.1552990813649@mail.yahoo.com>
Message-ID: <721520864.9617523.1553489715815@mail.yahoo.com>

 Will be awsome if some one can throw light on this, especially from cache rebalancing point of view, i tried using the infispan cli , jmx , widlfy management console, but not able to look into the content of cache..?
Will one of us have already tried something like this/similar and can share their knowledge it will be super great!
RegardsMadhu
    On Tuesday, 19 March, 2019, 3:50:13 pm IST, Madhu <kkcmadhu at yahoo.com> wrote:  
 
 Hi,
I am using keycloak 4.5.0.Final and 4.7.0.Final.I have about 600+ realms, and i am looking for a graceful way to delete realms from al ive system (without bringing down keycloak nodes)
I have a cluster set up(standalone-ha.xml), with 3 or 4 nodes and i use jdbc ping for cluster discovery.
I need to know, whats the safest way to delete/clean up realms in such a setup.
I tried deleting the tenants using a shell script, which? invokes? /opt/softwareag/keycloak-4.7.0.Final/bin/kcadm.sh delete realms/$realm_name in a loop.
The realm deletion is slow ( which is ok),,but mostly i see that the cluster node becomes un responsive after running this command, i see large? number of?
" Uncaught server error: javax.persistence.OptimisticLockException: org.hibernate.exception.LockAcquisitionException: could not execute statement"
exceptions.

The worst part of the problem is that the node does not go down completely and? is still part of the cluster but un-responsive. So any info cached in the node becomes inaccessible (user, realm token info mostly) and impacts the logon/login to a set of realms owned by this node? :(??
If i gracefully shutdown the node (manually) using jboss-cli , the node goes down and allows the other cluster nodes to rebalance.
But until i take manual action, this sick node remains part of the cluster and makes a part of realm/users totally un usable..
I tried doing the same with REST APIs instead of kcadm? and the effect is same (node becomes unresponsive and but does not leave cluster)
Any idea, how can i gracefully delete realms from a live system ,without bring down keycloak??

I am thinking of :a) bringing up a temporary node to cluster , run the delete command from there, and shutdown this node, but what i am not sure is , when i add another node, will rebalance cause a part of data which is already stored in existing cluster nodes to be transferred to this node, if yes, then clearly this solution will not work..
b) is there a way to bring another node in standalone mode and delete but that may cause dead lock, as the cluster is unware of this new node and does not coordinate (compete with it).
c) can i delete the unwanted realms directly from database and clean up the cache in all cluster nodes? will that? impact live traffic, if so how??

Regards,Madhu  

From kkcmadhu at yahoo.com  Mon Mar 25 01:08:33 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 25 Mar 2019 05:08:33 +0000 (UTC)
Subject: [keycloak-user] RE : Keycloak cluster communication not working
	properly
References: <530305527.9606500.1553490513423.ref@mail.yahoo.com>
Message-ID: <530305527.9606500.1553490513423@mail.yahoo.com>

Hi,?I am not an expert, to best of my knowlege, the mping,jdbc ping etc is for the node discovery alone.internode communication happens through other protocols configured in your standalone-ha.xml/domain.xml
a) i guess you will need to open up 7600 (default port for members to chit chat/talk) so that? one node can pull the auth session/token from another node.b) you can make stuff sticky in your reverse proxy so that? request always goes to? correct nodec) you can enable multiple copies of the cache by chaning the owners to replicate the cached info (tokens,userino) .

We presently make stuff sticky in one of our prod deployments,? but i am exploring the other alternatives as well.? ( we are not on docker though).
Regards,Madhu

From sblanc at redhat.com  Mon Mar 25 05:34:10 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 25 Mar 2019 10:34:10 +0100
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS
 (JSF/Primefaces behind KC Adapter)
In-Reply-To: <VI1PR0801MB166417B96B3CFF129C652973875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
References: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg_wSmOVQfYhsouZdSCGJrfS4aRR9AF=-5ZURt7EC9Zgqg@mail.gmail.com>
	<VI1PR0801MB166417B96B3CFF129C652973875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
Message-ID: <CAMZCGg9dGoRK9z7qPAMN1hUxBqO1vHKJY_=sifeEGVtjhxc0dA@mail.gmail.com>

Indeed it's weird that it tries to do an OPTIONS. I just tried with a
simple JSP app with WF 15 and the WF Elytron adapter and I can not
reproduce it.
Maybe the best is to open a ticket and also add a reproducer.
Also instead of using + or * , could you try by entering the entire domain
name like "http://localhost:8080" ?




On Mon, Mar 25, 2019 at 8:29 AM Raul Fechete <rfechete at grid-applications.com>
wrote:

> Yes I have (both * and +), but it makes no difference. Making a HTTP
> OPTIONS call on KeyCloak always returns 204 No Content, regardless of the
> URL I?m using. I can even manually call OPTIONS on
> http://localhost:8180/auth/admin/master/console, which has nothing to do
> with the authentication flow and the answer is still 204.
>
>
>
> The URL used during the authentication flow is:
>
>
>
>
> http://localhost:8180/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<URL>&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid
>
>
>
> This URL works perfectly fine when the browser uses GET, but returns 204
> when the browser uses OPTIONS.. After the 204, the browser just doesn?t do
> anything else.
>
>
>
> Am I missing something?
>
>
>
> Thank you very much!
>
>
>
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* 21 March 2019 17:45
> *To:* Raul Fechete <rfechete at grid-applications.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS
> (JSF/Primefaces behind KC Adapter)
>
>
>
> Have you put a value for the Web Origin property in the client
> configuration on the KC Console ?
>
>
>
> On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <
> rfechete at grid-applications.com> wrote:
>
> Hello,
>
> I'm trying to build what should be a trivial setup, but I'm having trouble
> getting to work properly.
>
> I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java
> Adapter. The initial login flow works perfectly fine (browser asks for
> website, adapter intercepts and redirects to KC, user logs in with KC and
> is being redirected back to the website).
>
> Now, the JSF application often uses POST requests. If the user has been
> logged out (e.g. in KC directly), clicking anywhere on the website triggers
> a POST request to the application, which is being intercepted by the KC
> Adapter and redirected (302) to KC. This would be fine, but the problem is,
> the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET,
> and the KC just returns 204 without any further information. I also noticed
> that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS
> call, even if there is nothing else in the request.
>
> Is there any way to configure the handling of the OPTIONS requests in KC?
> Alternatively, is it possible to configure the adapter to send a 303 and
> thereby force the browser to perform a GET request? Or am I doing something
> conceptually wrong?
>
> Any help would be appreciated!
> Thank you very much!
>
> Cheers, Raul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From rfechete at grid-applications.com  Mon Mar 25 05:53:33 2019
From: rfechete at grid-applications.com (Raul Fechete)
Date: Mon, 25 Mar 2019 09:53:33 +0000
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS
 (JSF/Primefaces behind KC Adapter)
In-Reply-To: <CAMZCGg9dGoRK9z7qPAMN1hUxBqO1vHKJY_=sifeEGVtjhxc0dA@mail.gmail.com>
References: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg_wSmOVQfYhsouZdSCGJrfS4aRR9AF=-5ZURt7EC9Zgqg@mail.gmail.com>
	<VI1PR0801MB166417B96B3CFF129C652973875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg9dGoRK9z7qPAMN1hUxBqO1vHKJY_=sifeEGVtjhxc0dA@mail.gmail.com>
Message-ID: <VI1PR0801MB16643D6AFBB5F6ACC73690C7875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>

Is your browser (JSP webseite) doing a POST call towards the application server?

The login flow works fine as long as the browser is doing a GET. From what I understand, in this case the browser is trying to do a POST towards the application server and gets redirected towards KC by the adapter and since a *POST* was redirected, it then first tries an OPTIONS on the KC (maybe to see if it should also try a POST on the KC?).

I did a replay on the redirect answer from the adapter using GET instead of OPTIONS, and it does work.

Also, I tried the auth flow with both the current Firefox and Chrome browser and it?s the same: browser calls POST on the AS -> Adapter replies with 302 Redirect -> browser calls OPTIONS on the KC.

This is really weird. I can?t be the only one with a JSF website behind the KC adapter, whose sessions ran out.

From: Sebastien Blanc <sblanc at redhat.com>
Sent: 25 March 2019 10:34
To: Raul Fechete <rfechete at grid-applications.com>; keycloak userlist <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)

Indeed it's weird that it tries to do an OPTIONS. I just tried with a simple JSP app with WF 15 and the WF Elytron adapter and I can not reproduce it.
Maybe the best is to open a ticket and also add a reproducer.
Also instead of using + or * , could you try by entering the entire domain name like "http://localhost:8080" ?




On Mon, Mar 25, 2019 at 8:29 AM Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>> wrote:
Yes I have (both * and +), but it makes no difference. Making a HTTP OPTIONS call on KeyCloak always returns 204 No Content, regardless of the URL I?m using. I can even manually call OPTIONS on http://localhost:8180/auth/admin/master/console, which has nothing to do with the authentication flow and the answer is still 204.

The URL used during the authentication flow is:

http://localhost:8180/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<URL>&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid<http://localhost:8180/auth/realms/%3cREALM%3e/protocol/openid-connect/auth?response_type=code&client_id=%3cCLIENT_ID%3e&redirect_uri=%3cURL%3e&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid>

This URL works perfectly fine when the browser uses GET, but returns 204 when the browser uses OPTIONS.. After the 204, the browser just doesn?t do anything else.

Am I missing something?

Thank you very much!

From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
Sent: 21 March 2019 17:45
To: Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)

Have you put a value for the Web Origin property in the client configuration on the KC Console ?

On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>> wrote:
Hello,

I'm trying to build what should be a trivial setup, but I'm having trouble getting to work properly.

I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java Adapter. The initial login flow works perfectly fine (browser asks for website, adapter intercepts and redirects to KC, user logs in with KC and is being redirected back to the website).

Now, the JSF application often uses POST requests. If the user has been logged out (e.g. in KC directly), clicking anywhere on the website triggers a POST request to the application, which is being intercepted by the KC Adapter and redirected (302) to KC. This would be fine, but the problem is, the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET, and the KC just returns 204 without any further information. I also noticed that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS call, even if there is nothing else in the request.

Is there any way to configure the handling of the OPTIONS requests in KC? Alternatively, is it possible to configure the adapter to send a 303 and thereby force the browser to perform a GET request? Or am I doing something conceptually wrong?

Any help would be appreciated!
Thank you very much!

Cheers, Raul
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Mon Mar 25 06:41:33 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 25 Mar 2019 11:41:33 +0100
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS
 (JSF/Primefaces behind KC Adapter)
In-Reply-To: <VI1PR0801MB16643D6AFBB5F6ACC73690C7875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
References: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg_wSmOVQfYhsouZdSCGJrfS4aRR9AF=-5ZURt7EC9Zgqg@mail.gmail.com>
	<VI1PR0801MB166417B96B3CFF129C652973875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg9dGoRK9z7qPAMN1hUxBqO1vHKJY_=sifeEGVtjhxc0dA@mail.gmail.com>
	<VI1PR0801MB16643D6AFBB5F6ACC73690C7875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
Message-ID: <CAMZCGg90tmgArJFL2GYt9701MPP35P1YVj02GfvdTraRbPMXSA@mail.gmail.com>

I just tried with a POST (both after a logout due to timout + plus kc
intiiated logout) and it is behaving as expected (no OPTIONS call) ...
Maybe it's related to EAP/EAP Adapter ...


On Mon, Mar 25, 2019 at 10:53 AM Raul Fechete <
rfechete at grid-applications.com> wrote:

> Is your browser (JSP webseite) doing a POST call towards the application
> server?
>
>
>
> The login flow works fine as long as the browser is doing a GET. From what
> I understand, in this case the browser is trying to do a POST towards the
> application server and gets redirected towards KC by the adapter and since
> a **POST** was redirected, it then first tries an OPTIONS on the KC
> (maybe to see if it should also try a POST on the KC?).
>
>
>
> I did a replay on the redirect answer from the adapter using GET instead
> of OPTIONS, and it does work.
>
>
>
> Also, I tried the auth flow with both the current Firefox and Chrome
> browser and it?s the same: browser calls POST on the AS -> Adapter replies
> with 302 Redirect -> browser calls OPTIONS on the KC.
>
>
>
> This is really weird. I can?t be the only one with a JSF website behind
> the KC adapter, whose sessions ran out.
>
>
>
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* 25 March 2019 10:34
> *To:* Raul Fechete <rfechete at grid-applications.com>; keycloak userlist <
> keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS
> (JSF/Primefaces behind KC Adapter)
>
>
>
> Indeed it's weird that it tries to do an OPTIONS. I just tried with a
> simple JSP app with WF 15 and the WF Elytron adapter and I can not
> reproduce it.
>
> Maybe the best is to open a ticket and also add a reproducer.
>
> Also instead of using + or * , could you try by entering the entire domain
> name like "http://localhost:8080" ?
>
>
>
>
>
>
>
>
>
> On Mon, Mar 25, 2019 at 8:29 AM Raul Fechete <
> rfechete at grid-applications.com> wrote:
>
> Yes I have (both * and +), but it makes no difference. Making a HTTP
> OPTIONS call on KeyCloak always returns 204 No Content, regardless of the
> URL I?m using. I can even manually call OPTIONS on
> http://localhost:8180/auth/admin/master/console, which has nothing to do
> with the authentication flow and the answer is still 204.
>
>
>
> The URL used during the authentication flow is:
>
>
>
>
> http://localhost:8180/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<URL>&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid
>
>
>
> This URL works perfectly fine when the browser uses GET, but returns 204
> when the browser uses OPTIONS.. After the 204, the browser just doesn?t do
> anything else.
>
>
>
> Am I missing something?
>
>
>
> Thank you very much!
>
>
>
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* 21 March 2019 17:45
> *To:* Raul Fechete <rfechete at grid-applications.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS
> (JSF/Primefaces behind KC Adapter)
>
>
>
> Have you put a value for the Web Origin property in the client
> configuration on the KC Console ?
>
>
>
> On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <
> rfechete at grid-applications.com> wrote:
>
> Hello,
>
> I'm trying to build what should be a trivial setup, but I'm having trouble
> getting to work properly.
>
> I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java
> Adapter. The initial login flow works perfectly fine (browser asks for
> website, adapter intercepts and redirects to KC, user logs in with KC and
> is being redirected back to the website).
>
> Now, the JSF application often uses POST requests. If the user has been
> logged out (e.g. in KC directly), clicking anywhere on the website triggers
> a POST request to the application, which is being intercepted by the KC
> Adapter and redirected (302) to KC. This would be fine, but the problem is,
> the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET,
> and the KC just returns 204 without any further information. I also noticed
> that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS
> call, even if there is nothing else in the request.
>
> Is there any way to configure the handling of the OPTIONS requests in KC?
> Alternatively, is it possible to configure the adapter to send a 303 and
> thereby force the browser to perform a GET request? Or am I doing something
> conceptually wrong?
>
> Any help would be appreciated!
> Thank you very much!
>
> Cheers, Raul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From rfechete at grid-applications.com  Mon Mar 25 08:17:57 2019
From: rfechete at grid-applications.com (Raul Fechete)
Date: Mon, 25 Mar 2019 12:17:57 +0000
Subject: [keycloak-user] KeyCloak Server and HTTP OPTIONS
 (JSF/Primefaces behind KC Adapter)
In-Reply-To: <CAMZCGg90tmgArJFL2GYt9701MPP35P1YVj02GfvdTraRbPMXSA@mail.gmail.com>
References: <VI1PR0801MB1664C1005BB27C018D8202B187420@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg_wSmOVQfYhsouZdSCGJrfS4aRR9AF=-5ZURt7EC9Zgqg@mail.gmail.com>
	<VI1PR0801MB166417B96B3CFF129C652973875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg9dGoRK9z7qPAMN1hUxBqO1vHKJY_=sifeEGVtjhxc0dA@mail.gmail.com>
	<VI1PR0801MB16643D6AFBB5F6ACC73690C7875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>
	<CAMZCGg90tmgArJFL2GYt9701MPP35P1YVj02GfvdTraRbPMXSA@mail.gmail.com>
Message-ID: <VI1PR0801MB1664DF9D5595DC3A989CF135875E0@VI1PR0801MB1664.eurprd08.prod.outlook.com>

Ok.. Which adapter are you using? Is there any way you could post maybe a screenshot of the communication between browser / adapter / kc? It might help to see if the adapter in your setup responds differently to the client?s POST request than in my case.

Just to be sure ? your client does a POST on the AS, receives a 302 and then does a GET on KC?

Thanks!

From: Sebastien Blanc <sblanc at redhat.com>
Sent: 25 March 2019 11:42
To: Raul Fechete <rfechete at grid-applications.com>
Cc: keycloak userlist <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)

I just tried with a POST (both after a logout due to timout + plus kc intiiated logout) and it is behaving as expected (no OPTIONS call) ...
Maybe it's related to EAP/EAP Adapter ...


On Mon, Mar 25, 2019 at 10:53 AM Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>> wrote:
Is your browser (JSP webseite) doing a POST call towards the application server?

The login flow works fine as long as the browser is doing a GET. From what I understand, in this case the browser is trying to do a POST towards the application server and gets redirected towards KC by the adapter and since a *POST* was redirected, it then first tries an OPTIONS on the KC (maybe to see if it should also try a POST on the KC?).

I did a replay on the redirect answer from the adapter using GET instead of OPTIONS, and it does work.

Also, I tried the auth flow with both the current Firefox and Chrome browser and it?s the same: browser calls POST on the AS -> Adapter replies with 302 Redirect -> browser calls OPTIONS on the KC.

This is really weird. I can?t be the only one with a JSF website behind the KC adapter, whose sessions ran out.

From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
Sent: 25 March 2019 10:34
To: Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>>; keycloak userlist <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)

Indeed it's weird that it tries to do an OPTIONS. I just tried with a simple JSP app with WF 15 and the WF Elytron adapter and I can not reproduce it.
Maybe the best is to open a ticket and also add a reproducer.
Also instead of using + or * , could you try by entering the entire domain name like "http://localhost:8080" ?




On Mon, Mar 25, 2019 at 8:29 AM Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>> wrote:
Yes I have (both * and +), but it makes no difference. Making a HTTP OPTIONS call on KeyCloak always returns 204 No Content, regardless of the URL I?m using. I can even manually call OPTIONS on http://localhost:8180/auth/admin/master/console, which has nothing to do with the authentication flow and the answer is still 204.

The URL used during the authentication flow is:

http://localhost:8180/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<URL>&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid<http://localhost:8180/auth/realms/%3cREALM%3e/protocol/openid-connect/auth?response_type=code&client_id=%3cCLIENT_ID%3e&redirect_uri=%3cURL%3e&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid>

This URL works perfectly fine when the browser uses GET, but returns 204 when the browser uses OPTIONS.. After the 204, the browser just doesn?t do anything else.

Am I missing something?

Thank you very much!

From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
Sent: 21 March 2019 17:45
To: Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)

Have you put a value for the Web Origin property in the client configuration on the KC Console ?

On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <rfechete at grid-applications.com<mailto:rfechete at grid-applications.com>> wrote:
Hello,

I'm trying to build what should be a trivial setup, but I'm having trouble getting to work properly.

I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java Adapter. The initial login flow works perfectly fine (browser asks for website, adapter intercepts and redirects to KC, user logs in with KC and is being redirected back to the website).

Now, the JSF application often uses POST requests. If the user has been logged out (e.g. in KC directly), clicking anywhere on the website triggers a POST request to the application, which is being intercepted by the KC Adapter and redirected (302) to KC. This would be fine, but the problem is, the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET, and the KC just returns 204 without any further information. I also noticed that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS call, even if there is nothing else in the request.

Is there any way to configure the handling of the OPTIONS requests in KC? Alternatively, is it possible to configure the adapter to send a 303 and thereby force the browser to perform a GET request? Or am I doing something conceptually wrong?

Any help would be appreciated!
Thank you very much!

Cheers, Raul
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From dv at glyphy.com  Mon Mar 25 08:47:11 2019
From: dv at glyphy.com (D V)
Date: Mon, 25 Mar 2019 08:47:11 -0400
Subject: [keycloak-user] Using remote-store within a single DC
In-Reply-To: <CAJL87rgb+CTiXOB1nvqno89sT+JzxTNiyENvtKZee2WYt4F6=A@mail.gmail.com>
References: <CAJL87rgb+CTiXOB1nvqno89sT+JzxTNiyENvtKZee2WYt4F6=A@mail.gmail.com>
Message-ID: <CAJL87rg0S--NXbxM8yBDLJ5dCsLPgbZ0p9aRcWyt7cWQsJOa1g@mail.gmail.com>

This appears to be an issue only when rolling out a version that has a
remote-store while the old version without a remote-store is running. That
is, if I completely stop the old version and deploy the new version with a
remote-store, it starts properly. If even a single instance of the old
version is running, all new versions get stuck during start-up looking for
the coordinator.

Is this a known issue, and if so, is there a known workaround?

On Thu, Mar 21, 2019 at 11:33 AM D V <dv at glyphy.com> wrote:

> Hi list,
>
> I'm trying to run several instances of keycloak using a standalone-ha
> configuration within the same datacenter. At the same time I'd like to be
> able to offload both `sessions` and `clientSessions` caches to a remote
> infinispan cluster within the same datacenter in order to minimize user
> logouts when keycloak instances are restarted. Eventually, I plan to set up
> a Cassandra store on the remote ISPN side to persist sessions. At the
> moment, though, I can't even get Keycloak to start.
>
> The configuration for the two caches in the keycloak config looks like
> this:
>
> <replicated-cache name="sessions" statistics-enabled="true">
>     <state-transfer timeout="600000" />
>     <remote-store remote-servers="ispn-socket" passivation="false"
> cache="sessions" shared="true" purge="false"/>
> </replicated-cache>
> <replicated-cache name="clientSessions" statistics-enabled="true">
>     <state-transfer timeout="600000" />
>     <remote-store remote-servers="ispn-socket" cache="clientSessions"
> passivation="false" shared="true" purge="false"/>
> </replicated-cache>
>
> The remote cache container configuration:
>
> <remote-cache-container name="ispn-remote"
> default-remote-cluster="ispn-cluster">
>     <remote-clusters>
>         <remote-cluster name="ispn-cluster" socket-bindings="ispn-socket"
> />
>     </remote-clusters>
> </remote-cache-container>
>
> The socket binding is:
>
> <outbound-socket-binding name="ispn-socket">
>     <remote-destination host="${env.ISPN_HOST:ispn}"
> port="${env.ISPN_PORT:11222}" />
> </outbound-socket-binding>
>
> $ISPN_HOST points to a load balancer that's proxying each ISPN node in a
> round-robin fashion.
>
> On the remote Infinispan side I'm using a slightly modified version of
> their clustered.xml configuration and have set up the cache-container as
> follows:
>
> <cache-container name="clustered" default-cache="default"
> statistics="true">
>     <transport lock-timeout="3600000"/>
>     <distributed-cache name="default"/>
>     <replicated-cache name="sessions" statistics="true">
>         <state-transfer timeout="3600000"/>
>     </replicated-cache>
>     <replicated-cache name="clientSessions" statistics="true">
>         <state-transfer timeout="3600000"/>
>     </replicated-cache>
> </cache-container>
>
> The ISPN nodes are clustered using a UDP-based JGroups stack. They form a
> cluster successfully. I can add a cache entry manually with ispn-cli.sh on
> one node and have it appear on another. Keycloak can connect to the remote
> Infinispan cluster with hotrod. However, at start-up it seems to hang after
> the following point in the logs:
>
> ...
> ISPN004006: Server sent new topology view (id=9, age=0) containing 3
> addresses: [10.39.32.74:11222, 10.39.32.73:11222, 10.39.32.72:11222]
> WFLYCLINF0002: Started work cache from keycloak container
> WFLYCLINF0002: Started sessions cache from keycloak container
> WFLYCLINF0002: Started clientSessions cache from keycloak container
> ...
> HHH000397: Using ASTQueryTranslatorFactory
> Remote store configured for cache 'sessions'
> Remote store configured for cache 'clientSessions'
>
> There's a sleeping thread at this point:
>
> "ServerService Thread Pool -- 59" #148 prio=5 os_prio=0
> tid=0x00000000032e7800 nid=0xfc waiting on condition [0x00007f6d9928f000]
>    java.lang.Thread.State: TIMED_WAITING (sleeping)
>         at java.lang.Thread.sleep(Native Method)
>         at
> org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:36)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:317)
>         at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:306)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:298)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$500(InfinispanUserSessionProviderFactory.java:68)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.lambda$onEvent$0(InfinispanUserSessionProviderFactory.java:127)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1$$Lambda$1162/1971420018.run(Unknown
> Source)
>         at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
>         at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithTimeout(KeycloakModelUtils.java:268)
>         at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:121)
>         at
> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:69)
>         at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:174)
> ...
> The code appears to be looking for a coordinator on the work cache, but
> never finds one. Am I missing some configuration to achieve my goals, or is
> this particular use case not supported?
>
> Thanks for any help!
> D
>

From lists at bootc.boo.tc  Mon Mar 25 09:16:04 2019
From: lists at bootc.boo.tc (Chris Boot)
Date: Mon, 25 Mar 2019 13:16:04 +0000
Subject: [keycloak-user] Advice on setting up realms
In-Reply-To: <CAMZCGg9Wi+Y4oCc1KQwM9UjqBRKe6P_LB_wJhpkYi=AmAnmidg@mail.gmail.com>
References: <6c7408fd-e5d3-95b2-2e09-48c62904398b@bootc.boo.tc>
	<be00c336-c769-d44c-6539-9d64dc720cbc@janua.fr>
	<CAMZCGg9Wi+Y4oCc1KQwM9UjqBRKe6P_LB_wJhpkYi=AmAnmidg@mail.gmail.com>
Message-ID: <bd40ae64-5d94-49c8-aeae-4d3704279bbc@bootc.boo.tc>

Hi Olivier, Sebastien,

First of all sorry for the late response, your replies never made it to
me despite me being subscribed to the list. I only found them when
perusing the online archives.

Could you please CC me on replies?

On 21/03/2019 16:14, sblanc at redhat.com (Sebastien Blanc) wrote:
> On Thu, Mar 21, 2019 at 4:58 PM Olivier Rivat <orivat at janua.fr> wrote:
[snip]
>> 1) >  Can I make these two types of user coexist in a single realm, or
>> do I need to split it up?
>>
>> -Authentication is on a per realm basis
>> For authentication you configure a corresponding authentication flow, by
>> default for the entire realm.
>>
>> With 4.X and, 5.0, you can override the default authentification flow,
>> for specific client applications
>>
>> If you want 2 different ways to authenticate (staff with 2FA,
>> username/apssword + TOPTP ), and external with 1FA (username/password)
>> best is to have to different realms, withe one realm for staff an other
>> for external people
>>
> Unless staff and partner do not access the same clients, in this case you
> can override the auth flow as Olivier said before

Most of our apps will need logins from both types of user; a minority
will only accept logins from staff. Overriding the auth flow per client
doesn't seem like it will work for us. It looks like two realms is the
way to do this, then, which should be fine.

Now, bearing in mind that some of our applications can only authenticate
against one provider at a time, would you recommend having the
"partners" realm broker to the "staff" realm? Or would it be better to
have a third realm used only for such applications which then brokers to
both the "partners" and "staff" realms?

>> 3) > Can I prevent users from changing their email address and name in
>> the account console while still permitting password and authenticator
>> changes?
>> At first glance, there seems no specific tuning for this, unless writing
>> a specific custom plugin.
>> In the "required Actions" of your auth flow, "Update Profile" is enabled
>> by default , if you disable it they won't be able to change their profile
>> but still able to configure OTP and change their password.

I'll have to try this, thanks. Failing that, Stan's suggestions of
hacking the HTML in the account theme might be good enough for our purposes.

Thanks,
Chris

-- 
Chris Boot
bootc at boo.tc

From audunroe at gmail.com  Mon Mar 25 09:45:31 2019
From: audunroe at gmail.com (=?UTF-8?Q?Audun_R=C3=B8e?=)
Date: Mon, 25 Mar 2019 14:45:31 +0100
Subject: [keycloak-user] IDPSSODescriptor only has SingleSignOnService for
	POST binding
Message-ID: <CA+J7vsSXVaJo-O-j32xZCMQiZp4d+kfvq71xcuXhnsx_1FmkHQ@mail.gmail.com>

Hello,

when obtaining KeyCloak SAML IDP metadata through the admin dashboard
(Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
the dropdown) the metadata only contains a SingleSignOnService for
HTTP-POST binding:

<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml" />


When instead getting metadata this through the following URL, it also has
HTTP-Redirect and SOAP endpoints:
https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor

<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
"/>

Is there a reason for the discrepancy, or is it a bug? It's not really a
problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
the former metadata variant failed, while the latter works fine.


Regards,
Audun

From l.lech at ringler.ch  Mon Mar 25 09:51:35 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Mon, 25 Mar 2019 13:51:35 +0000
Subject: [keycloak-user] Notification after failed login attempt(s) from
	unknown machine.
Message-ID: <5E48B917000C984B86B77170F441903A18974A9C@exch.ringler.ch>

Hello,

Does keycloak have a functionality of notifying user about failed login attempts made from unknown machine?

In default configuration, users have no idea that someone has tried to guess their password...

I couldn't find anything about that, but there seems already to be some brute-force detector (a least it is logged as such).

Best regards,
Lukasz Lech

From jdennis at redhat.com  Mon Mar 25 10:24:38 2019
From: jdennis at redhat.com (John Dennis)
Date: Mon, 25 Mar 2019 10:24:38 -0400
Subject: [keycloak-user] IDPSSODescriptor only has SingleSignOnService
 for POST binding
In-Reply-To: <CA+J7vsSXVaJo-O-j32xZCMQiZp4d+kfvq71xcuXhnsx_1FmkHQ@mail.gmail.com>
References: <CA+J7vsSXVaJo-O-j32xZCMQiZp4d+kfvq71xcuXhnsx_1FmkHQ@mail.gmail.com>
Message-ID: <871c715f-6173-84b2-d3cc-49aa8d1203f5@redhat.com>

On 3/25/19 9:45 AM, Audun R?e wrote:
> Hello,
> 
> when obtaining KeyCloak SAML IDP metadata through the admin dashboard
> (Client > Installation and selecting "SAML Metadata IDPSSODescriptor" from
> the dropdown) the metadata only contains a SingleSignOnService for
> HTTP-POST binding:
> 
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml" />
> 
> 
> When instead getting metadata this through the following URL, it also has
> HTTP-Redirect and SOAP endpoints:
> https://keycloak.example.com/auth/realms/example.com/protocol/saml/descriptor
> 
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> https://keycloak.example.com/auth/realms/example.com/protocol/saml"/>
> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="https://keycloak.example.com/auth/realms/example.com/protocol/saml
> "/>
> 
> Is there a reason for the discrepancy, or is it a bug? It's not really a
> problem but our SP wants a HTTP-Redirect endpoint, so attempting to upload
> the former metadata variant failed, while the latter works fine.

Known issue and recently fixed, see
https://issues.jboss.org/browse/KEYCLOAK-8537

There was a very similar issue with SP logout metadata handling 
described in this JIRA that was fixed just a day or two ago.

https://issues.jboss.org/browse/KEYCLOAK-8535


-- 
John Dennis

From j9dy1g at gmail.com  Mon Mar 25 15:27:11 2019
From: j9dy1g at gmail.com (Jody H)
Date: Mon, 25 Mar 2019 20:27:11 +0100
Subject: [keycloak-user] Apply default client scopes to existing clients
Message-ID: <CADqF5bfdQexVJMLB=F1Zj0z3zxn3EaWPuA7qVTshk-FQasaR-g@mail.gmail.com>

Hi,

when I add a new client scope as default, I'd expect that this will be
added to the "assigned default client scopes" for existing clients as well.
However, only new clients will see the mapper in its "assigned default
mappers" list. Is there a way to automatically adjust all existing clients
when I set a client scope as default?

Thanks
Jody

From mposolda at redhat.com  Mon Mar 25 17:32:07 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 25 Mar 2019 22:32:07 +0100
Subject: [keycloak-user] Apply default client scopes to existing clients
In-Reply-To: <CADqF5bfdQexVJMLB=F1Zj0z3zxn3EaWPuA7qVTshk-FQasaR-g@mail.gmail.com>
References: <CADqF5bfdQexVJMLB=F1Zj0z3zxn3EaWPuA7qVTshk-FQasaR-g@mail.gmail.com>
Message-ID: <557c3409-762c-4768-decb-630b17fe1607@redhat.com>

Hi,

It's not at this moment. It works similarly like for example "Default 
roles" - hence added just to the newly created clients/users. So you 
need to manually add it as default client scope to existing clients or 
through some script, which will call REST API under the covers to add 
the specified client scope to default client scopes of the particular 
client.

Marek

On 25/03/2019 20:27, Jody H wrote:
> Hi,
>
> when I add a new client scope as default, I'd expect that this will be
> added to the "assigned default client scopes" for existing clients as well.
> However, only new clients will see the mapper in its "assigned default
> mappers" list. Is there a way to automatically adjust all existing clients
> when I set a client scope as default?
>
> Thanks
> Jody
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From vramik at redhat.com  Tue Mar 26 05:35:41 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Tue, 26 Mar 2019 10:35:41 +0100
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <1870809059.9786354.1553263686636@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
Message-ID: <8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>

Hey,

inline.

On 3/22/19 3:08 PM, Andrew Meyer wrote:
> Yes.? Here is what I have in the standalone.xml:
>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0">
> ? ? ? ? ? ? <datasources>
> ? ? ? ? ? ? ? ? <datasource 
> jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" 
> enabled="true" use-java-context="true">
> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
> ? ? ? ? ? ? ? ? ? ? <driver>h2</driver>
> ? ? ? ? ? ? ? ? ? ? <security>
> <user-name>sa</user-name>
> <password>sa</password>
> ? ? ? ? ? ? ? ? ? ? </security>
> ? ? ? ? ? ? ? ? </datasource>
> ? ? ? ? ? ? ? ? <datasource 
> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" 
> enabled="true" use-java-context="true">
> <connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url>
> <driver>keycloak</driver>
the driver has to correspond to <driver name="mysql" .. so mysql in this 
case, so you should update the cli scripts accordingly.
> ? ? ? ? ? ? ? ? ? ? <pool>
> <min-pool-size>10</min-pool-size>
> <max-pool-size>50</max-pool-size>
> <prefill>true</prefill>
> ? ? ? ? ? ? ? ? ? ? </pool>
> ? ? ? ? ? ? ? ? ? ? <security>
> <user-name>keycloak</user-name>
> <password>ChangeMe</password>
> ? ? ? ? ? ? ? ? ? ? </security>
> ? ? ? ? ? ? ? ? </datasource>
> ? ? ? ? ? ? ? ? <drivers>
> ? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2">
> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
> ? ? ? ? ? ? ? ? ? ? </driver>
> ? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/>
> ? ? ? ? ? ? ? ? </drivers>
> ? ? ? ? ? ? </datasources>
> ? ? ? ? </subsystem>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
> ? ? ? ? ? ? <deployment-scanner path="deployments" 
> relative-to="jboss.server.base.dir" scan-interval="5000" 
> runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
> ? ? ? ? </subsystem>
> ? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0">
> <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
>
>
>
> I think my connection url line my be incorrect...
>
> On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik 
> <vramik at redhat.com> wrote:
>
>
> On 3/22/19 4:09 AM, Andrew Meyer wrote:
> Yes, I took a look at this.? Followed what was in the examples and 
> still am getting the following:
>
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
> Mar 21 22:03:54 saml01 standalone.sh: ... 8 more
> Mar 21 22:03:54 saml01 standalone.sh: Caused by: 
> java.lang.RuntimeException: Failed to connect to database
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
> Mar 21 22:03:54 saml01 standalone.sh: ... 31 more
> Mar 21 22:03:54 saml01 standalone.sh: Caused by: 
> javax.naming.NameNotFoundException: datasources/KeycloakDS [Root 
> exception is java.lang.IllegalStateException]
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> javax.naming.InitialContext.lookup(InitialContext.java:417)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> javax.naming.InitialContext.lookup(InitialContext.java:417)
> Mar 21 22:03:54 saml01 standalone.sh: at 
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375)
> Mar 21 22:03:54 saml01 standalone.sh: ... 43 more
> This means exactly what is says that KeycloakDS cannot be found, have 
> you looked at standalone.xml?
>
>>
>>
>>
>> Here is the command that I am running.? I don't understand what I am 
>> doing wrong.
>>
>> [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module 
>> add --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar 
>> --dependencies=javax.api,javax.xml.bind.api'
>> Module com.jdbc.mysql already exists at 
>> /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main
>> [root at saml01 current]#
>>
>>
>>
>> I ran all of the commands as shown in the example and keycloak still 
>> fails to start.
>>
>>
>>
>> On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik 
>> <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>
>>
>> Hello,
>>
>> you can take a look at
>> https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
>> <https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
>> >
>> for inspiration.
>>
>> V.
>>
>> On 3/19/19 9:43 PM, Andrew Meyer wrote:
>> > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 
>> or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? 
>> ?This is what I have in my notes.
>> > Open the Jboss CLI and add the MySQL driver (you don't have to 
>> connect with the Jboss websocket).
>> > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version 
>> for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add 
>> --name=com.mysql --dependencies=javax.api,javax.transaction.api 
>> --resources=/root/mysql-connector-java-5.1.47.jar
>> >
>> > Add the Database driver to the configuration.
>> > MySQL/MariaDB# sudo su -
>> > Is this the correct syntax for the driver?? Should it be com.mysql 
>> or org.mysql??
>> > $ sudo -u keycloak ./bin/jboss-cli.sh 
>> 'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
>> >
>> > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS 
>> data source. (Don't delete the test database and change YOURPASS to 
>> something random)
>> > MySQL/MariaDB
>> > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 
>> 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
>> > $ sudo -u keycloak ./bin/jboss-cli.sh 
>> 'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
>> > $ sudo -u keycloak ./bin/jboss-cli.sh 
>> 'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
>>
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

From SJHesse at gmx.de  Tue Mar 26 08:53:09 2019
From: SJHesse at gmx.de (Sascha John Hesse)
Date: Tue, 26 Mar 2019 13:53:09 +0100
Subject: [keycloak-user] external SAML for brokering - what is my endpoint?
Message-ID: <trinity-5c4e6b59-460c-4778-a80e-f3520e5df460-1553604789067@3c-app-gmx-bs07>


From andrewm659 at yahoo.com  Tue Mar 26 09:44:34 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Tue, 26 Mar 2019 13:44:34 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
	<8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
Message-ID: <753436644.11603381.1553607874108@mail.yahoo.com>

I got it working.

Sent from Yahoo Mail on Android 
 
  On Tue, Mar 26, 2019 at 4:35 AM, Vlasta Ramik<vramik at redhat.com> wrote:    
Hey,
 
inline.
 
 On 3/22/19 3:08 PM, Andrew Meyer wrote:
  
 
 Yes.? Here is what I have in the standalone.xml: 
   ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0"> ? ? ? ? ? ? <datasources> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>h2</driver> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>sa</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>sa</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>keycloak</driver>   the driver has to correspond to <driver name="mysql" .. so mysql in this case, so you should update the cli scripts accordingly.
  
   ? ? ? ? ? ? ? ? ? ? <pool> ? ? ? ? ? ? ? ? ? ? ? ? <min-pool-size>10</min-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <max-pool-size>50</max-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <prefill>true</prefill> ? ? ? ? ? ? ? ? ? ? </pool> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>keycloak</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>ChangeMe</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <drivers> ? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2"> ? ? ? ? ? ? ? ? ? ? ? ?<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> ? ? ? ? ? ? ? ? ? ? </driver> ? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/> ? ? ? ? ? ? ? ? </drivers> ? ? ? ? ? ? </datasources> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> ? ? ? ? ? ? <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0"> ? ? ? ? ? ?<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> 
  
  
  I think my connection url line my be incorrect... 
      On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
     On 3/22/19 4:09 AM, Andrew Meyer wrote:
  
 
    Yes, I took a look at this.? Followed what was in the examples and still am getting the following: 
    Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atio.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) Mar 21 22:03:54 saml01 standalone.sh: ... 8 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: java.lang.RuntimeException: Failed to connect to database Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) Mar 21 22:03:54 saml01 standalone.sh: at java.lang.reflect.Constructor.newInstance(Constructor.java:423) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152) Mar 21 22:03:54 saml01 standalone.sh: ... 31 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375) Mar 21 22:03:54 saml01 standalone.sh: ... 43 more   This means exactly what is says that KeycloakDS cannot be found, have you looked at standalone.xml? 
   
    
  
  
  Here is the command that I am running.? I don't understand what I am doing wrong. 
    [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar --dependencies=javax.api,javax.xml.bind.api' Module com.jdbc.mysql already exists at /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main [root at saml01 current]#? 
  
  
  I ran all of the commands as shown in the example and keycloak still fails to start. 
  
  
      On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
   Hello,
 
 you can take a look at 
 https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
 for inspiration.
 
 V.
 
 On 3/19/19 9:43 PM, Andrew Meyer wrote:
 > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
 > Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
 > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api--resources=/root/mysql-connector-java-5.1.47.jar
 >
 > Add the Database driver to the configuration.
 > MySQL/MariaDB# sudo su -
 > Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
 >
 > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
 > MySQL/MariaDB
 > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool' 
 > _______________________________________________
 > keycloak-user mailing list
 > keycloak-user at lists.jboss.org
 > https://lists.jboss.org/mailman/listinfo/keycloak-user 
      
       
   

From andrewm659 at yahoo.com  Tue Mar 26 10:15:45 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Tue, 26 Mar 2019 14:15:45 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <753436644.11603381.1553607874108@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
	<8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
	<753436644.11603381.1553607874108@mail.yahoo.com>
Message-ID: <616403246.11640775.1553609745148@mail.yahoo.com>

 Should I see anything in the database?? Tables, etc?
    On Tuesday, March 26, 2019, 8:44:34 AM CDT, Andrew Meyer <andrewm659 at yahoo.com> wrote:  
 
 I got it working.

Sent from Yahoo Mail on Android 
 
  On Tue, Mar 26, 2019 at 4:35 AM, Vlasta Ramik<vramik at redhat.com> wrote:    
Hey,
 
inline.
 
 On 3/22/19 3:08 PM, Andrew Meyer wrote:
  
 
 Yes.? Here is what I have in the standalone.xml: 
   ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0"> ? ? ? ? ? ? <datasources> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>h2</driver> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>sa</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>sa</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>keycloak</driver>   the driver has to correspond to <driver name="mysql" .. so mysql in this case, so you should update the cli scripts accordingly.
  
   ? ? ? ? ? ? ? ? ? ? <pool> ? ? ? ? ? ? ? ? ? ? ? ? <min-pool-size>10</min-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <max-pool-size>50</max-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <prefill>true</prefill> ? ? ? ? ? ? ? ? ? ? </pool> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>keycloak</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>ChangeMe</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <drivers> ? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2"> ? ? ? ? ? ? ? ? ? ? ? ?<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> ? ? ? ? ? ? ? ? ? ? </driver> ? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/> ? ? ? ? ? ? ? ? </drivers> ? ? ? ? ? ? </datasources> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> ? ? ? ? ? ? <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0"> ? ? ? ? ? ?<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> 
  
  
  I think my connection url line my be incorrect... 
      On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
     On 3/22/19 4:09 AM, Andrew Meyer wrote:
  
 
    Yes, I took a look at this.? Followed what was in the examples and still am getting the following: 
    Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atio.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) Mar 21 22:03:54 saml01 standalone.sh: ... 8 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: java.lang.RuntimeException: Failed to connect to database Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) Mar 21 22:03:54 saml01 standalone.sh: at java.lang.reflect.Constructor.newInstance(Constructor.java:423) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152) Mar 21 22:03:54 saml01 standalone.sh: ... 31 more Mar 21 22:03:54 saml01 standalone.sh: Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375) Mar 21 22:03:54 saml01 standalone.sh: ... 43 more   This means exactly what is says that KeycloakDS cannot be found, have you looked at standalone.xml? 
   
    
  
  
  Here is the command that I am running.? I don't understand what I am doing wrong. 
    [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add --name=com.jdbc.mysql --resources=mysql-connector-java-5.1.47.jar --dependencies=javax.api,javax.xml.bind.api' Module com.jdbc.mysql already exists at /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main [root at saml01 current]#? 
  
  
  I ran all of the commands as shown in the example and keycloak still fails to start. 
  
  
      On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
   Hello,
 
 you can take a look at 
 https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
 for inspiration.
 
 V.
 
 On 3/19/19 9:43 PM, Andrew Meyer wrote:
 > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh tool?? ?This is what I have in my notes.
 > Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
 > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add --name=com.mysql? --dependencies=javax.api,javax.transaction.api--resources=/root/mysql-connector-java-5.1.47.jar
 >
 > Add the Database driver to the configuration.
 > MySQL/MariaDB# sudo su -
 > Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
 >
 > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the test database and change YOURPASS to something random)
 > MySQL/MariaDB
 > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh 'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool' 
 > _______________________________________________
 > keycloak-user mailing list
 > keycloak-user at lists.jboss.org
 > https://lists.jboss.org/mailman/listinfo/keycloak-user 
      
       
   
  

From vramik at redhat.com  Tue Mar 26 10:44:40 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Tue, 26 Mar 2019 15:44:40 +0100
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <616403246.11640775.1553609745148@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
	<8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
	<753436644.11603381.1553607874108@mail.yahoo.com>
	<616403246.11640775.1553609745148@mail.yahoo.com>
Message-ID: <8e806127-e337-4f97-ac0a-931be60033af@redhat.com>

On 3/26/19 3:15 PM, Andrew Meyer wrote:
> Should I see anything in the database?? Tables, etc?
yes, you should be able to see tables etc.
>
> On Tuesday, March 26, 2019, 8:44:34 AM CDT, Andrew Meyer 
> <andrewm659 at yahoo.com> wrote:
>
>
> I got it working.
>
> Sent from Yahoo Mail on Android 
> <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature>
>
>     On Tue, Mar 26, 2019 at 4:35 AM, Vlasta Ramik
>     <vramik at redhat.com> wrote:
>
>     Hey,
>
>     inline.
>
>     On 3/22/19 3:08 PM, Andrew Meyer wrote:
>     Yes.? Here is what I have in the standalone.xml:
>
>     ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
>     ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
>     ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0">
>     ? ? ? ? ? ? <datasources>
>     ? ? ? ? ? ? ? ? <datasource
>     jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS"
>     enabled="true" use-java-context="true">
>     <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
>     <driver>h2</driver>
>     ? ? ? ? ? ? ? ? ? ? <security>
>     <user-name>sa</user-name>
>     <password>sa</password>
>     ? ? ? ? ? ? ? ? ? ? </security>
>     ? ? ? ? ? ? ? ? </datasource>
>     ? ? ? ? ? ? ? ? <datasource
>     jndi-name="java:jboss/datasources/KeycloakDS"
>     pool-name="KeycloakDS" enabled="true" use-java-context="true">
>     <connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url>
>     <driver>keycloak</driver>
>     the driver has to correspond to <driver name="mysql" .. so mysql
>     in this case, so you should update the cli scripts accordingly.
>
>>     ? ? ? ? ? ? ? ? ? ? <pool>
>>     <min-pool-size>10</min-pool-size>
>>     <max-pool-size>50</max-pool-size>
>>     <prefill>true</prefill>
>>     ? ? ? ? ? ? ? ? ? ? </pool>
>>     <security>
>>     <user-name>keycloak</user-name>
>>     <password>ChangeMe</password>
>>     </security>
>>     </datasource>
>>     ? ? ? ? ? ? ? ? <drivers>
>>     ? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2">
>>     <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>     </driver>
>>     ? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/>
>>     ? ? ? ? ? ? ? ? </drivers>
>>     ? ? ? ? ? ? </datasources>
>>     ? ? ? ? </subsystem>
>>     ? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
>>     <deployment-scanner path="deployments"
>>     relative-to="jboss.server.base.dir" scan-interval="5000"
>>     runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
>>     ? ? ? ? </subsystem>
>>     ? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0">
>>     <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
>>
>>
>>
>>     I think my connection url line my be incorrect...
>>
>>     On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik
>>     <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>
>>
>>     On 3/22/19 4:09 AM, Andrew Meyer wrote:
>>     Yes, I took a look at this.? Followed what was in the examples
>>     and still am getting the following:
>>
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
>>     Mar 21 22:03:54 saml01 standalone.sh: ... 8 more
>>     Mar 21 22:03:54 saml01 standalone.sh: Caused by:
>>     java.lang.RuntimeException: Failed to connect to database
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
>>     Mar 21 22:03:54 saml01 standalone.sh: ... 31 more
>>     Mar 21 22:03:54 saml01 standalone.sh: Caused by:
>>     javax.naming.NameNotFoundException: datasources/KeycloakDS [Root
>>     exception is java.lang.IllegalStateException]
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     javax.naming.InitialContext.lookup(InitialContext.java:417)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     javax.naming.InitialContext.lookup(InitialContext.java:417)
>>     Mar 21 22:03:54 saml01 standalone.sh: at
>>     org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375)
>>     Mar 21 22:03:54 saml01 standalone.sh: ... 43 more
>>     This means exactly what is says that KeycloakDS cannot be found,
>>     have you looked at standalone.xml?
>>
>>>
>>>
>>>
>>>     Here is the command that I am running.? I don't understand what
>>>     I am doing wrong.
>>>
>>>     [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh
>>>     'module add --name=com.jdbc.mysql
>>>     --resources=mysql-connector-java-5.1.47.jar
>>>     --dependencies=javax.api,javax.xml.bind.api'
>>>     Module com.jdbc.mysql already exists at
>>>     /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main
>>>     [root at saml01 current]#
>>>
>>>
>>>
>>>     I ran all of the commands as shown in the example and keycloak
>>>     still fails to start.
>>>
>>>
>>>
>>>     On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik
>>>     <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>>
>>>
>>>     Hello,
>>>
>>>     you can take a look at
>>>     https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli
>>>     <https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli
>>>     >
>>>     for inspiration.
>>>
>>>     V.
>>>
>>>     On 3/19/19 9:43 PM, Andrew Meyer wrote:
>>>     > Hello,If I am adding a mariadb or mysql backend to keycloak
>>>     v4.8.3 or 5.0.0 what is the correct syntax from the jboss-cli.sh
>>>     tool?? ?This is what I have in my notes.
>>>     > Open the Jboss CLI and add the MySQL driver (you don't have to
>>>     connect with the Jboss websocket).
>>>     > $ ./bin/jboss-cli.sh?Is this the correct mysql connector
>>>     version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module add
>>>     --name=com.mysql --dependencies=javax.api,javax.transaction.api
>>>     --resources=/root/mysql-connector-java-5.1.47.jar
>>>     >
>>>     > Add the Database driver to the configuration.
>>>     > MySQL/MariaDB# sudo su -
>>>     > Is this the correct syntax for the driver? Should it be
>>>     com.mysql or org.mysql??
>>>     > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>     'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
>>>     >
>>>     > Remove the h2 KeycloakDS data source and add the MySQL
>>>     KeycloakDS data source. (Don't delete the test database and
>>>     change YOURPASS to something random)
>>>     > MySQL/MariaDB
>>>     > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh
>>>     'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
>>>     > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>     'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
>>>     > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>     'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
>>>
>>>     > _______________________________________________
>>>     > keycloak-user mailing list
>>>     > keycloak-user at lists.jboss.org
>>>     <mailto:keycloak-user at lists.jboss.org>
>>>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>

From andrewm659 at yahoo.com  Tue Mar 26 10:59:05 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Tue, 26 Mar 2019 14:59:05 +0000 (UTC)
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <8e806127-e337-4f97-ac0a-931be60033af@redhat.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
	<8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
	<753436644.11603381.1553607874108@mail.yahoo.com>
	<616403246.11640775.1553609745148@mail.yahoo.com>
	<8e806127-e337-4f97-ac0a-931be60033af@redhat.com>
Message-ID: <1903614744.11672728.1553612345770@mail.yahoo.com>

I see the database I created.? But no Tables.? I am using the free version....
Welcome to the MariaDB monitor.? Commands end with ; or \g.Your MariaDB connection id is 8904Server version: 10.1.38-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;+--------------------+| Database? ? ? ? ? ?|+--------------------+| information_schema || keycloak? ? ? ? ? ?|| test? ? ? ? ? ? ? ?|+--------------------+3 rows in set (0.02 sec)
MariaDB [(none)]> use keycloakDatabase changedMariaDB [keycloak]> show tables;Empty set (0.00 sec)
MariaDB [keycloak]>?


Sent from Yahoo Mail on Android 
 
  On Tue, Mar 26, 2019 at 9:44 AM, Vlasta Ramik<vramik at redhat.com> wrote:    On 3/26/19 3:15 PM, Andrew Meyer wrote:
  
 
 Should I see anything in the database?? Tables, etc?  yes, you should be able to see tables etc.
 
  
      On Tuesday, March 26, 2019, 8:44:34 AM CDT, Andrew Meyer <andrewm659 at yahoo.com> wrote:  
  
    I got it working.
 
 Sent from Yahoo Mail on Android 
  
  On Tue, Mar 26, 2019 at 4:35 AM, Vlasta Ramik <vramik at redhat.com> wrote:     
Hey,
 
inline.
 
 On 3/22/19 3:08 PM, Andrew Meyer wrote:
  
 
    Yes.? Here is what I have in the standalone.xml: 
    ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/> ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0"> ? ? ? ? ? ? <datasources> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>h2</driver> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>sa</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>sa</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url> ? ? ? ? ? ? ? ? ? ? <driver>keycloak</driver>   the driver has to correspond to <driver name="mysql" .. so mysql in this case, so you should update the cli scripts accordingly. 
   
    ? ? ? ? ? ? ? ? ? ? <pool> ? ? ? ? ? ? ? ? ? ? ? ? <min-pool-size>10</min-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <max-pool-size>50</max-pool-size> ? ? ? ? ? ? ? ? ? ? ? ? <prefill>true</prefill> ? ? ? ? ? ? ? ? ? ? </pool> ? ? ? ? ? ? ? ? ? ? <security> ? ? ? ? ? ? ? ? ? ? ? ? <user-name>keycloak</user-name> ? ? ? ? ? ? ? ? ? ? ? ? <password>ChangeMe</password> ? ? ? ? ? ? ? ? ? ? </security> ? ? ? ? ? ? ? ? </datasource> ? ? ? ? ? ? ? ? <drivers> ? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2"> ? ? ? ? ? ? ? ? ? ? ? ?<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> ? ? ? ? ? ? ? ? ? ? </driver> ? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="com.jdbc.mysql"/> ? ? ? ? ? ? ? ? </drivers> ? ? ? ? ? ? </datasources> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> ? ? ? ? ? ? <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> ? ? ? ? </subsystem> ? ? ? ? <subsystem xmlns="urn:jboss:domain:ee:4.0"> ? ? ? ? ? ?<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement> 
  
  
  I think my connection url line my be incorrect... 
      On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
     On 3/22/19 4:09 AM, Andrew Meyer wrote:
  
 
    Yes, I took a look at this.? Followed what was in the examples and still am getting the following: 
    Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) Mar 21 22:03:54 saml01 standalone.sh: atio.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) Mar 21 22:03:54 saml01 standalone.sh: ... 8 more Mar 21 22:03:54 saml01 standalone.sh: Caused by:java.lang.RuntimeException: Failed to connect to database Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) Mar 21 22:03:54 saml01 standalone.sh: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) Mar 21 22:03:54 saml01 standalone.sh: atsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) Mar 21 22:03:54 saml01 standalone.sh: at java.lang.reflect.Constructor.newInstance(Constructor.java:423) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152) Mar 21 22:03:54 saml01 standalone.sh: ... 31 more Mar 21 22:03:54 saml01 standalone.sh: Caused by:javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) Mar 21 22:03:54 saml01 standalone.sh: atorg.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) Mar 21 22:03:54 saml01 standalone.sh: at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: at javax.naming.InitialContext.lookup(InitialContext.java:417) Mar 21 22:03:54 saml01 standalone.sh: atorg.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375) Mar 21 22:03:54 saml01 standalone.sh: ... 43 more   This means exactly what is says that KeycloakDS cannot be found, have you looked at standalone.xml?  
   
    
  
  
  Here is the command that I am running.? I don't understand what I am doing wrong. 
    [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh 'module add --name=com.jdbc.mysql--resources=mysql-connector-java-5.1.47.jar --dependencies=javax.api,javax.xml.bind.api' Module com.jdbc.mysql already exists at /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main [root at saml01 current]#? 
  
  
  I ran all of the commands as shown in the example and keycloak still fails to start. 
  
  
      On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik <vramik at redhat.com> wrote:  
  
   Hello,
 
 you can take a look at 
 https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli 
 for inspiration.
 
 V.
 
 On 3/19/19 9:43 PM, Andrew Meyer wrote:
 > Hello,If I am adding a mariadb or mysql backend to keycloak v4.8.3 or 5.0.0 what is the correct syntax  from the jboss-cli.sh tool?? ?This is what I have in my notes.
 > Open the Jboss CLI and add the MySQL driver (you don't have to connect with the Jboss websocket).
 > $ ./bin/jboss-cli.sh?Is this the correct mysql connector version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$  module add --name=com.mysql?--dependencies=javax.api,javax.transaction.api--resources=/root/mysql-connector-java-5.1.47.jar
 >
 > Add the Database driver to the configuration.
 > MySQL/MariaDB# sudo su -
 > Is this the correct syntax for the driver?? Should it be com.mysql or org.mysql??
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
 >
 > Remove the h2 KeycloakDS data source and add the MySQL KeycloakDS data source. (Don't delete the  test database and change YOURPASS to something random)
 > MySQL/MariaDB
 > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
 > $ sudo -u keycloak ./bin/jboss-cli.sh'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool' 
 > _______________________________________________
 > keycloak-user mailing list
 > keycloak-user at lists.jboss.org
 > https://lists.jboss.org/mailman/listinfo/keycloak-user 
      
       
     
       
   

From cwebb12 at cox.net  Tue Mar 26 11:16:21 2019
From: cwebb12 at cox.net (Christophe Webb)
Date: Tue, 26 Mar 2019 11:16:21 -0400 (EDT)
Subject: [keycloak-user] Keycloak FIPS PKI Problems
Message-ID: <745774377.4291.1553613383056@myemail.cox.net>

I am running keycloak in a docker container. We are using PKI as one of the authentication methods for our applications. I followed the instructions for keycloak(X.509 Client Certificate User Authentication) to set this up, and everything seems to work. Next, we needed to update keycloak to be FIPS compliant. For this, we are using the bouncy castle FIPS provider(bc-fips-1.0.1.jar). I have set up the java.security file to make the bouncy castle fips provider the default. This all works correctly as well.

However, once I update the java.security file to use "com.sun.net.ssl.internal.ssl.Provider BCFIPS", PKI no longer works. Regular SSL with out a client certificate provided works just fine, and we can log in with username and password, but we need PKI.
I have updated the keycloak standalone.xml with the following:
<server-identities>
   <ssl>
     <keystore provider="BCFKS" path="keystore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>" alias="keycloak" key-password="<password>"/>
   </ssl>
</server-identities>
<authentication>
   <truststore provider="BCFKS" path="truststore.bcfks" relative-to="jboss.server.config.dir" keystore-password="<password>"/>
   <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
   <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>

I took the JKS files for the keystore and truststore that I was using before and imported them to BCFKS files using this basic command:
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcstorepass <password> -destkeystore keystore.bcfks -deststoretype BCFKS -deststorepass <password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/jar/bc-fips-1.0.1.jar

I also updated the JAVA_OPTS to include -Djavax.net.debug=ssl. In the output, I can see that my certificate is provided, and it looks correct.

In the log output after the client certificate is logged, I see the the following log statements.

14:38:30,927 INFO [stdout] (default task-1) default task-1, fatal error: 46: General SSLEngine problem
14:38:30,927 INFO [stdout] (default task-1) sun.security.validator.ValidatorException: No trusted certificate found
14:38:30,927 INFO [stdout] (default task-1) %% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
14:38:30,927 INFO [stdout] (default task-1) default task-1, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
14:38:30,927 INFO [stdout] (default task-1) default task-1, WRITE: TLSv1.2 Alert, length = 2
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeInbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
14:38:30,928 INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()

From mwaki011 at gmail.com  Tue Mar 26 12:16:24 2019
From: mwaki011 at gmail.com (Mike W.)
Date: Tue, 26 Mar 2019 12:16:24 -0400
Subject: [keycloak-user] Infinispan cache synchronization over TLS?
Message-ID: <CAJKiPVDPBYOdax9ycBMRhzFiBhEn-OrTSmUvz=u4SBkx-pS37w@mail.gmail.com>

Hi everyone,

I'm interested to know how the synchronization between infinispan caches
occurs when working with keycloak in an HA mode. Is this synchronization by
default happening over TLS?

In the case of Keycloak, what would be the proper approach to find out what
information is being stored and communicated between the infinispan caches
and whether that information is stored securely?

Thanks,

Mike

From ryans at jlab.org  Tue Mar 26 12:26:48 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 26 Mar 2019 16:26:48 +0000
Subject: [keycloak-user] Keycloak 5.0.0 and Java 11?
Message-ID: <BL0PR0901MB305967A7CCEFC7269D213883DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm attempting to use Keycloak 5.0.0 and OpenJDK 11.0.2 on RHEL 7.6, but encountering an error executing the bin/add-user-keycloak.sh script:

[root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
org.jboss.modules.ModuleNotFoundException: java.se
        at org.jboss.modules.Module.addPaths(Module.java:1266)
        at org.jboss.modules.Module.link(Module.java:1622)
        at org.jboss.modules.Module.relinkIfNecessary(Module.java:1650)
        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:296)
        at org.jboss.modules.Main.main(Main.java:437)
[root at keycloaktest bin]# export JAVA_OPTS="--add-modules java.se"
[root at keycloaktest bin]# echo $JAVA_OPTS
--add-modules java.se
[root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
Press ctrl-d (Unix) or ctrl-z (Windows) to exit
Password:
Added 'admin' to '/opt/wildfly/keycloak-5.0.0/standalone/configuration/keycloak-add-user.json', restart server to load user
[root at keycloaktest bin]#

I found the workaround here:

https://issues.jboss.org/browse/WFCORE-3962

and here:

https://issues.jboss.org/browse/MODULES-372

Is this simply an oversight with the add-user-keycloak.sh script and will be fixed in a future release?



From ryans at jlab.org  Tue Mar 26 16:02:51 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 26 Mar 2019 20:02:51 +0000
Subject: [keycloak-user] Option to disable SPNEGO
Message-ID: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>

With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?

Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (http://lists.jboss.org/pipermail/keycloak-dev/2015-October/005399.html) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?

From mwaki011 at gmail.com  Tue Mar 26 16:18:00 2019
From: mwaki011 at gmail.com (Mike W.)
Date: Tue, 26 Mar 2019 16:18:00 -0400
Subject: [keycloak-user] Purpose of proxy_address_forwardinf variable?
Message-ID: <CAJKiPVBZ9LJRZQVF7fFhaaRC=wB+sHa-jHzNz+kDj6dmNwEQrg@mail.gmail.com>

Does anyone know what exactly is the purpose of the
proxy_address_forwarding variable and what are its expected effects once is
it enabled and added to the http and https listeners in the standalone /
standalone-ha xml files?

Thanks,

Mike

From jerry.saravia at virginpulse.com  Tue Mar 26 16:19:11 2019
From: jerry.saravia at virginpulse.com (Jerry Saravia)
Date: Tue, 26 Mar 2019 20:19:11 +0000
Subject: [keycloak-user] Override "native" Keycloak providers
Message-ID: <7D37129B-790A-41F1-9616-BF35B5D22EAA@contoso.com>

Hello,

Disclaimer: This might be a keycloak dev mailing list question.

We?ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we?ve run into some issues.

Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of ?keycloak-password? and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.

See this link here for 3.4.3 changes:
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L100

These are the 4.8 changes
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L99

In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ?override? them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:

PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);

In 3.4.3 because our provider was loaded we were able to inject into code that normally isn?t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a ?second rate? because it isn?t native to Keycloak.

Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.

J



Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com
|virginpulse.com/global-challenge
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.48
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image089205.png
Type: image/png
Size: 681 bytes
Desc: image089205.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190326/4bff86fb/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image407342.png
Type: image/png
Size: 687 bytes
Desc: image407342.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190326/4bff86fb/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image811982.png
Type: image/png
Size: 757 bytes
Desc: image811982.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190326/4bff86fb/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image243188.png
Type: image/png
Size: 30124 bytes
Desc: image243188.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190326/4bff86fb/attachment-0007.png 

From pbraun at redhat.com  Wed Mar 27 06:17:26 2019
From: pbraun at redhat.com (Peter Braun)
Date: Wed, 27 Mar 2019 11:17:26 +0100
Subject: [keycloak-user] Problem with Github Identity Provider
Message-ID: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>

Hey everyone,

i'm having trouble with the Github Identity Provider in Keycloak 4 (using
RH-SSO 7.3) where it was working fine with Keycloak 3 (RH-SSO 7.2). Realm,
Client and Provider are configured in the same way but login fails and I
get this error in the logs:

*09:14:19,823 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-71)
Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access token
available in OAuth server response:
{"error":"unauthorized_client","error_description":"The client is not
authorized to request a token using this method."}*

I've already checked that the credentials are correct and that the realm,
client and idp settings are similar to the Keycloak 3 instance. Any Idea
where to best start looking?


Regards,
Peter

From vramik at redhat.com  Wed Mar 27 09:06:01 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 27 Mar 2019 14:06:01 +0100
Subject: [keycloak-user] adding mysql or mariadb backend
In-Reply-To: <1903614744.11672728.1553612345770@mail.yahoo.com>
References: <1643686692.8175694.1553028218614.ref@mail.yahoo.com>
	<1643686692.8175694.1553028218614@mail.yahoo.com>
	<92b0eacb-94ce-46ee-4562-bb88f2cd1041@redhat.com>
	<1851999884.9610587.1553224187710@mail.yahoo.com>
	<e749b50c-3e19-f09b-dfdf-1746ffdefdf2@redhat.com>
	<1870809059.9786354.1553263686636@mail.yahoo.com>
	<8082afee-e901-dc29-5acb-ffa8552c4677@redhat.com>
	<753436644.11603381.1553607874108@mail.yahoo.com>
	<616403246.11640775.1553609745148@mail.yahoo.com>
	<8e806127-e337-4f97-ac0a-931be60033af@redhat.com>
	<1903614744.11672728.1553612345770@mail.yahoo.com>
Message-ID: <b2e81972-0f32-71df-174f-050690404b15@redhat.com>

Hey,

it's hard to say what could be wrong, anyway you can at least add some 
loggers and try to read from those what is happening.

You should see something like

INFO  [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 54) HHH000400: Using dialect: org.hibernate.dialect.MariaDB10Dialect

in the server log (if you've added the logger from the script I've sent 
you earlier)

Then I recommend you to go thru wildfly documentation regarding 
configuring datasources, installing jdbc drivers etc.

V.

On 3/26/19 3:59 PM, Andrew Meyer wrote:
> I see the database I created.? But no Tables.? I am using the free 
> version....
>
> Welcome to the MariaDB monitor.? Commands end with ; or \g.
> Your MariaDB connection id is 8904
> Server version: 10.1.38-MariaDB MariaDB Server
>
> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input 
> statement.
>
> MariaDB [(none)]> show databases;
> +--------------------+
> | Database? ? ? ? ? ?|
> +--------------------+
> | information_schema |
> | keycloak? ? ? ? ? ?|
> | test? ? ? ? ? ? ? ?|
> +--------------------+
> 3 rows in set (0.02 sec)
>
> MariaDB [(none)]> use keycloak
> Database changed
> MariaDB [keycloak]> show tables;
> Empty set (0.00 sec)
>
> MariaDB [keycloak]>
>
>
>
> Sent from Yahoo Mail on Android 
> <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature>
>
>     On Tue, Mar 26, 2019 at 9:44 AM, Vlasta Ramik
>     <vramik at redhat.com> wrote:
>     On 3/26/19 3:15 PM, Andrew Meyer wrote:
>     Should I see anything in the database?? Tables, etc?
>     yes, you should be able to see tables etc.
>
>>
>>     On Tuesday, March 26, 2019, 8:44:34 AM CDT, Andrew Meyer
>>     <andrewm659 at yahoo.com> <mailto:andrewm659 at yahoo.com> wrote:
>>
>>
>>     I got it working.
>>
>>     Sent from Yahoo Mail on Android
>>     <https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature>
>>
>>         On Tue, Mar 26, 2019 at 4:35 AM, Vlasta Ramik
>>         <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>
>>         Hey,
>>
>>         inline.
>>
>>         On 3/22/19 3:08 PM, Andrew Meyer wrote:
>>         Yes.? Here is what I have in the standalone.xml:
>>
>>         ? ? ? ? <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
>>         ? ? ? ? <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
>>         ? ? ? ? <subsystem xmlns="urn:jboss:domain:datasources:5.0">
>>         <datasources>
>>         <datasource jndi-name="java:jboss/datasources/ExampleDS"
>>         pool-name="ExampleDS" enabled="true" use-java-context="true">
>>         <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
>>         <driver>h2</driver>
>>         <security>
>>         <user-name>sa</user-name>
>>         <password>sa</password>
>>         </security>
>>         </datasource>
>>         <datasource jndi-name="java:jboss/datasources/KeycloakDS"
>>         pool-name="KeycloakDS" enabled="true" use-java-context="true">
>>         <connection-url>jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;amp;useLegacyDatetimeCode=false&amp;amp</connection-url>
>>         <driver>keycloak</driver>
>>         the driver has to correspond to <driver name="mysql" .. so
>>         mysql in this case, so you should update the cli scripts
>>         accordingly.
>>
>>>         <pool>
>>>         <min-pool-size>10</min-pool-size>
>>>         <max-pool-size>50</max-pool-size>
>>>         <prefill>true</prefill>
>>>         </pool>
>>>         <security>
>>>         <user-name>keycloak</user-name>
>>>         <password>ChangeMe</password>
>>>         </security>
>>>         </datasource>
>>>         <drivers>
>>>         <driver name="h2" module="com.h2database.h2">
>>>         <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>>         </driver>
>>>         <driver name="mysql" module="com.jdbc.mysql"/>
>>>         </drivers>
>>>         </datasources>
>>>         </subsystem>
>>>         <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
>>>         <deployment-scanner path="deployments"
>>>         relative-to="jboss.server.base.dir" scan-interval="5000"
>>>         runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
>>>         </subsystem>
>>>         <subsystem xmlns="urn:jboss:domain:ee:4.0">
>>>         <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
>>>
>>>
>>>
>>>         I think my connection url line my be incorrect...
>>>
>>>         On Friday, March 22, 2019, 5:47:00 AM CDT, Vlasta Ramik
>>>         <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>>
>>>
>>>         On 3/22/19 4:09 AM, Andrew Meyer wrote:
>>>         Yes, I took a look at this. Followed what was in the
>>>         examples and still am getting the following:
>>>
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
>>>         Mar 21 22:03:54 saml01 standalone.sh: ... 8 more
>>>         Mar 21 22:03:54 saml01 standalone.sh: Caused by:
>>>         java.lang.RuntimeException: Failed to connect to database
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>         Method)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
>>>         Mar 21 22:03:54 saml01 standalone.sh: ... 31 more
>>>         Mar 21 22:03:54 saml01 standalone.sh: Caused by:
>>>         javax.naming.NameNotFoundException: datasources/KeycloakDS
>>>         [Root exception is java.lang.IllegalStateException]
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         javax.naming.InitialContext.lookup(InitialContext.java:417)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         javax.naming.InitialContext.lookup(InitialContext.java:417)
>>>         Mar 21 22:03:54 saml01 standalone.sh: at
>>>         org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:375)
>>>         Mar 21 22:03:54 saml01 standalone.sh: ... 43 more
>>>         This means exactly what is says that KeycloakDS cannot be
>>>         found, have you looked at standalone.xml?
>>>
>>>>
>>>>
>>>>
>>>>         Here is the command that I am running.? I don't understand
>>>>         what I am doing wrong.
>>>>
>>>>         [root at saml01 current]# sudo -u keycloak ./bin/jboss-cli.sh
>>>>         'module add --name=com.jdbc.mysql
>>>>         --resources=mysql-connector-java-5.1.47.jar
>>>>         --dependencies=javax.api,javax.xml.bind.api'
>>>>         Module com.jdbc.mysql already exists at
>>>>         /opt/keycloak/5.0.0/modules/com/jdbc/mysql/main
>>>>         [root at saml01 current]#
>>>>
>>>>
>>>>
>>>>         I ran all of the commands as shown in the example and
>>>>         keycloak still fails to start.
>>>>
>>>>
>>>>
>>>>         On Thursday, March 21, 2019, 7:03:12 AM CDT, Vlasta Ramik
>>>>         <vramik at redhat.com> <mailto:vramik at redhat.com> wrote:
>>>>
>>>>
>>>>         Hello,
>>>>
>>>>         you can take a look at
>>>>         https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli
>>>>         <https://github.com/keycloak/keycloak/blob/cf35a4648bcb93aaf1ac63918ee5c4b0f422d7d5/testsuite/integration-arquillian/servers/auth-server/jboss/common/jboss-cli/configure-server-jpa.cli
>>>>         >
>>>>         for inspiration.
>>>>
>>>>         V.
>>>>
>>>>         On 3/19/19 9:43 PM, Andrew Meyer wrote:
>>>>         > Hello,If I am adding a mariadb or mysql backend to
>>>>         keycloak v4.8.3 or 5.0.0 what is the correct syntax from
>>>>         the jboss-cli.sh tool?? ?This is what I have in my notes.
>>>>         > Open the Jboss CLI and add the MySQL driver (you don't
>>>>         have to connect with the Jboss websocket).
>>>>         > $ ./bin/jboss-cli.sh?Is this the correct mysql connector
>>>>         version for MariaDB 10.1.x?MySQL/MariaDBjboss-cli$ module
>>>>         add --name=com.mysql
>>>>         --dependencies=javax.api,javax.transaction.api
>>>>         --resources=/root/mysql-connector-java-5.1.47.jar
>>>>         >
>>>>         > Add the Database driver to the configuration.
>>>>         > MySQL/MariaDB# sudo su -
>>>>         > Is this the correct syntax for the driver? Should it be
>>>>         com.mysql or org.mysql??
>>>>         > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>>         'embed-server,/subsystem=datasources/jdbc-driver=mysql:add(driver-name=mysql,driver-module-name=com.mysql,driver-class-name=com.mysql.jdbc.Driver)'
>>>>         >
>>>>         > Remove the h2 KeycloakDS data source and add the MySQL
>>>>         KeycloakDS data source. (Don't delete the test database and
>>>>         change YOURPASS to something random)
>>>>         > MySQL/MariaDB
>>>>         > # sudo su -$ sudo -u keycloak ./bin/jboss-cli.sh
>>>>         'embed-server,/subsystem=datasources/data-source=KeycloakDS:remove'
>>>>         > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>>         'embed-server,/subsystem=datasources/data-source=asmDS:add(driver-name=com.mysql,enabled=true,use-java-context=true,connection-url="jdbc:mysql://10.150.10.20:3306/keycloak?useSSL=false&amp;useLegacyDatetimeCode=false&amp;serverTimezone=America/Chicago&amp;characterEncoding=UTF-8",jndi-name="java:/jboss/datasources/KeycloakDS",user-name=keycloak,password="ChangeMe",valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker,validate-on-match=true,exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker)'
>>>>         > $ sudo -u keycloak ./bin/jboss-cli.sh
>>>>         'embed-server,/subsystem=datasources/data-source=asmDS:test-connection-in-pool'
>>>>
>>>>         > _______________________________________________
>>>>         > keycloak-user mailing list
>>>>         > keycloak-user at lists.jboss.org
>>>>         <mailto:keycloak-user at lists.jboss.org>
>>>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>

From vramik at redhat.com  Wed Mar 27 09:14:26 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 27 Mar 2019 14:14:26 +0100
Subject: [keycloak-user] Keycloak 5.0.0 and Java 11?
In-Reply-To: <BL0PR0901MB305967A7CCEFC7269D213883DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB305967A7CCEFC7269D213883DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <43a93621-fa41-5885-79b1-689297e5fef1@redhat.com>

Hey Ryan,

I believe it's a bug and should be fixed in futere releases, would you 
mind to create a ticket to https://issues.jboss.org/browse/KEYCLOAK ?

Thanks,

V.

On 3/26/19 5:26 PM, Ryan Slominski wrote:
> I'm attempting to use Keycloak 5.0.0 and OpenJDK 11.0.2 on RHEL 7.6, but encountering an error executing the bin/add-user-keycloak.sh script:
>
> [root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
> org.jboss.modules.ModuleNotFoundException: java.se
>          at org.jboss.modules.Module.addPaths(Module.java:1266)
>          at org.jboss.modules.Module.link(Module.java:1622)
>          at org.jboss.modules.Module.relinkIfNecessary(Module.java:1650)
>          at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:296)
>          at org.jboss.modules.Main.main(Main.java:437)
> [root at keycloaktest bin]# export JAVA_OPTS="--add-modules java.se"
> [root at keycloaktest bin]# echo $JAVA_OPTS
> --add-modules java.se
> [root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
> Press ctrl-d (Unix) or ctrl-z (Windows) to exit
> Password:
> Added 'admin' to '/opt/wildfly/keycloak-5.0.0/standalone/configuration/keycloak-add-user.json', restart server to load user
> [root at keycloaktest bin]#
>
> I found the workaround here:
>
> https://issues.jboss.org/browse/WFCORE-3962
>
> and here:
>
> https://issues.jboss.org/browse/MODULES-372
>
> Is this simply an oversight with the add-user-keycloak.sh script and will be fixed in a future release?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ryans at jlab.org  Wed Mar 27 09:25:16 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 13:25:16 +0000
Subject: [keycloak-user] Keycloak 5.0.0 and Java 11?
In-Reply-To: <43a93621-fa41-5885-79b1-689297e5fef1@redhat.com>
References: <BL0PR0901MB305967A7CCEFC7269D213883DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<43a93621-fa41-5885-79b1-689297e5fef1@redhat.com>
Message-ID: <BL0PR0901MB3059D4DEB12B07D3CA65D909DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

JIRA Issue Ticket Created:

https://issues.jboss.org/browse/KEYCLOAK-9923
________________________________
From: Vlasta Ramik <vramik at redhat.com>
Sent: Wednesday, March 27, 2019 9:14 AM
To: Ryan Slominski; keycloak-user
Subject: Re: [keycloak-user] Keycloak 5.0.0 and Java 11?

Hey Ryan,

I believe it's a bug and should be fixed in futere releases, would you
mind to create a ticket to https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK&amp;data=02%7C01%7Cryans%40jlab.org%7C26602c7f113e437b5f1308d6b2b624c1%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636892892710998767&amp;sdata=0hr%2Bd278971gJpfG%2Fu9ZofCe8LhJMJWxnJP8%2FOEzrok%3D&amp;reserved=0 ?

Thanks,

V.

On 3/26/19 5:26 PM, Ryan Slominski wrote:
> I'm attempting to use Keycloak 5.0.0 and OpenJDK 11.0.2 on RHEL 7.6, but encountering an error executing the bin/add-user-keycloak.sh script:
>
> [root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
> org.jboss.modules.ModuleNotFoundException: java.se
>          at org.jboss.modules.Module.addPaths(Module.java:1266)
>          at org.jboss.modules.Module.link(Module.java:1622)
>          at org.jboss.modules.Module.relinkIfNecessary(Module.java:1650)
>          at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:296)
>          at org.jboss.modules.Main.main(Main.java:437)
> [root at keycloaktest bin]# export JAVA_OPTS="--add-modules java.se"
> [root at keycloaktest bin]# echo $JAVA_OPTS
> --add-modules java.se
> [root at keycloaktest bin]# ./add-user-keycloak.sh -u admin
> Press ctrl-d (Unix) or ctrl-z (Windows) to exit
> Password:
> Added 'admin' to '/opt/wildfly/keycloak-5.0.0/standalone/configuration/keycloak-add-user.json', restart server to load user
> [root at keycloaktest bin]#
>
> I found the workaround here:
>
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FWFCORE-3962&amp;data=02%7C01%7Cryans%40jlab.org%7C26602c7f113e437b5f1308d6b2b624c1%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636892892710998767&amp;sdata=5XJKz2Utfip4JQo6yuusH3CzH3%2BUb%2BOmrl4puHs6ZXU%3D&amp;reserved=0
>
> and here:
>
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FMODULES-372&amp;data=02%7C01%7Cryans%40jlab.org%7C26602c7f113e437b5f1308d6b2b624c1%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636892892711008781&amp;sdata=Fxv2Ywf61R2Cr%2FqP6dT3sASQq4DPdpB%2FgHQmb9R7tsU%3D&amp;reserved=0
>
> Is this simply an oversight with the add-user-keycloak.sh script and will be fixed in a future release?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7C26602c7f113e437b5f1308d6b2b624c1%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636892892711008781&amp;sdata=gvFtFdNvXGf2xuL0KnpPm%2F2kvmGnrHDVAUZ9eJNlSzM%3D&amp;reserved=0

From thomas.richner at oviva.com  Wed Mar 27 10:29:25 2019
From: thomas.richner at oviva.com (Thomas Richner)
Date: Wed, 27 Mar 2019 15:29:25 +0100
Subject: [keycloak-user] Identity Provider for Provisioned Accounts
Message-ID: <CA+pLhWNSFSkS1OUkFA4_044aOXJq4vaL0fQuV64qgC4fBMzm3A@mail.gmail.com>

Hi all,

I'm trying to add an identity provider that can only be used to log in
for existing accounts.
It should cover the following use case:

1. there is an existing Keycloak account with the email `alice at example.com`
2. Alice also has a Google account with the email `alice at example.com`
3. Alice wants to log in at Keycloak and clicks 'login with google'
4. She successfully completes the Google oauth flow
5. now Alice should have a valid session for the `alice at example.com`
account in Keycloak

There does not need to be any further confirmation/updating of user
information and if `alice at example.com` does not exist in Keycloak the
login should just fail. I struggle especially with the last part since
the `Create User If Unique` in the first broker flow can not be
disabled.

I also came across the following issue
https://issues.jboss.org/browse/KEYCLOAK-4240 which seems to ask for
more or less what I need, but it seems to be dead since quite some
time :/

Did anybody successfully solve that issue? Is there some 'first login
flow' that can handle this use case?

Cheers and Thanks,
Thomas

From keycloak-user at bulk.harnly.net  Wed Mar 27 11:57:10 2019
From: keycloak-user at bulk.harnly.net (Aaron Harnly)
Date: Wed, 27 Mar 2019 15:57:10 +0000
Subject: [keycloak-user] Password hash migration: what authority says
 "rehash the hash" is a good strategy?
Message-ID: <CAGn2m+e=S=zqN8yt4KanAcPz8HBPT+FmeiM3N2T67bXzdC=E9Q@mail.gmail.com>

We are migrating an older system with a deprecated password hashing
strategy that we want to bring up to modern standard.

There are a range of options for the migration, including:

1. Reset all user passwords (not ideal!)
2. Rehash after successful login (works, but leaves older hashes in
storage until the long tail of users have all logged in)
3. "Rehash the hashes", ie bulk replace the 'oldhash' values with
newhash(oldhash), with a custom verifier that does the double hash;
then do #2 on login.

I'd like input on strategy #3 ? ie is there advice from authoritative
sources confirming that this is a secure strategy? It seems fine to my
layperson's eyeballs, and is surely better than leaving old hash
values in storage for a long time. But I'd like reassurance on it, and
can't find anything other than stray Stack Overflow responses[1, 2] or
blog posts[3] discussing it.

[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes

Any suggestions for an authoritative source on this?
cheers
-Aaron


From ryans at jlab.org  Wed Mar 27 12:00:24 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 16:00:24 +0000
Subject: [keycloak-user] LDAP null uuid Regression?
Message-ID: <BL0PR0901MB3059FBCC4BA1ADDAE6CC84D9DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm attempting to setup Keycloak 5.0.0 with Java 11 with a LDAP User Storage Provider, and I am unable to load users into Keycloak.? ?I'm using Red Hat Identity Manager as the LDAP server (which, I believe uses Red Hat Directory Server under the hood).? ?The error in the log file when I navigate to the "Users" menu to try to search for a user is:




2019-03-27 11:38:54,095 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-15) Uncaught server error: org.keycloak.models.ModelException: User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . Mapped UUID LDAP attribute: nsuniqueid, user DN: uid=ryans,cn=users,cn=accounts,dc=acc,dc=jlab,dc=org

? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPUtils.checkUuid(LDAPUtils.java:123)

? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.importUserFromLDAP(LDAPStorageProvider.java:498)

? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:372)

? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:354)

? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.lambda$searchForUser$1(UserStorageManager.java:537)

? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:505)

? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.searchForUser(UserStorageManager.java:535)

? ? ? ? at org.keycloak.keycloak-model-infinispan at 5.0.0//org.keycloak.models.cache.infinispan.UserCacheSession.searchForUser(UserCacheSession.java:573)

? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:202)

? ? ? ? at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

? ? ? ? at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

? ? ? ? at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

? ? ? ? at java.base/java.lang.reflect.Method.invoke(Method.java:566)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

? ? ? ? at javax.servlet.api at 1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)

? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)

? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

? ? ? ? at java.base/java.lang.Thread.run(Thread.java:834)





I believe this is a regression since I have this currently working on another server using Keycloak 4.1.0 and Java 8.? As a workaround I can update the "UUID LDAP attribute" from "nsuniqueid" to "uid" and then it works again (I can search for and find users on the Users page).? However, I know the "nsuniqueid" field exists in LDAP and I'm using that field with Keycloak 4.1.0.? ? Should I create an issue ticket for this?

From kemalhadimli at maviucak.com  Wed Mar 27 12:22:49 2019
From: kemalhadimli at maviucak.com (=?UTF-8?B?S2VtYWwgSGFkxLFtbMSx?=)
Date: Wed, 27 Mar 2019 16:22:49 +0000
Subject: [keycloak-user] Mappers with token exchange
Message-ID: <CACoMasN8_TpoJtFvGi+zwicGPS-WbSKpYzehNmpjrKdbKmpfBQ@mail.gmail.com>

Hello,

We're using token exchange to enable logins for social media provider
users, using their respective native apps. So the tokens are obtained via
official SDKs/apps, then sent our backend to be exchanged for a keycloak
token, which is then used throughout.

The problem is, attribute importers don't seem to be running for tokens
that are exchanged with this method. We have a mapper to export the user's
facebook id ("Social Profile JSON Field Path" set to "id") to custom user
attribute, but it doesn't seem to be working. (except of course when I
login "properly" and not use the token exchange process at all)

Are there any settings that I'm missing? Recommendations?

(Keycloak 5.0. Same with 4.1)

Thanks
Kemal

From l.lech at ringler.ch  Wed Mar 27 12:23:51 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 27 Mar 2019 16:23:51 +0000
Subject: [keycloak-user] Password hash migration: what authority says
 "rehash the hash" is a good strategy?
In-Reply-To: <CAGn2m+e=S=zqN8yt4KanAcPz8HBPT+FmeiM3N2T67bXzdC=E9Q@mail.gmail.com>
References: <CAGn2m+e=S=zqN8yt4KanAcPz8HBPT+FmeiM3N2T67bXzdC=E9Q@mail.gmail.com>
Message-ID: <5E48B917000C984B86B77170F441903A18974DF8@exch.ringler.ch>

I wonder how do you want to attempt 2 or 3?

I've seen code examples for 2, but they ended up in creating link between keycloak account and old system database, except of fully replacing old (linked) account with new one.

How it would be possible 3 without attempt to break existing passwords? 

However, our case was specific because we've got existing legacy solution with hashing algorithm not supported by keycloak. We've ended up with 1. An attempt to implement 2 has failed.

Best regards,
Lukasz Lech


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Aaron Harnly
Sent: Mittwoch, 27. M?rz 2019 16:57
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?

We are migrating an older system with a deprecated password hashing strategy that we want to bring up to modern standard.

There are a range of options for the migration, including:

1. Reset all user passwords (not ideal!) 2. Rehash after successful login (works, but leaves older hashes in storage until the long tail of users have all logged in) 3. "Rehash the hashes", ie bulk replace the 'oldhash' values with newhash(oldhash), with a custom verifier that does the double hash; then do #2 on login.

I'd like input on strategy #3 ? ie is there advice from authoritative sources confirming that this is a secure strategy? It seems fine to my layperson's eyeballs, and is surely better than leaving old hash values in storage for a long time. But I'd like reassurance on it, and can't find anything other than stray Stack Overflow responses[1, 2] or blog posts[3] discussing it.

[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes

Any suggestions for an authoritative source on this?
cheers
-Aaron

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From ryans at jlab.org  Wed Mar 27 13:07:48 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 17:07:48 +0000
Subject: [keycloak-user] Why duplicate records found for user?
Message-ID: <BL0PR0901MB30590725EE915E9E4186069DDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

I've noticed this behavior with both Keycloak 4.1.0 and Keycloak 5.0.0: when using admin web interface "Users" search duplicate records are found for some users.   What could possibly be causing this?

I've tried clearing all caches from (Realm Settings > Cache) and I've tried removing imported users (User Federation > ldap storage provider > "Remove Imported" button).  Still seeing duplicates for some users.  Weird.  I've got UUID LDAP attribute set to nsuinqueid with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to same Red Hat Identity Manager instance).  Duplicate users don't seem to be duplicated in LDAP.  Maybe group-ldap-mapper is doing something weird?  Is this due to Brokered Identities?  Or is this just a bug?

From tswiftma at gmail.com  Wed Mar 27 14:34:40 2019
From: tswiftma at gmail.com (Tim Swift)
Date: Wed, 27 Mar 2019 14:34:40 -0400
Subject: [keycloak-user] Keycloak performance on Kubernetes
Message-ID: <CABV+=wksnW87p2Lc0UJF_YKn4HxwWgeAA2YGoHLhrjq_J_rZPA@mail.gmail.com>

Hi,

For my portal config I have a Keycloak cluster running in a Docker
container deployed with  Kubernetes/Azure. Database is postgres (4 cores).
I am performance testing by using JMeter to get response times for a POST
to /auth/realms/(domain)/login-actions. Overall I'm not seeing very good
results:

Threads/Response (ms)
200/5009
400/7283
600/10065

I need to support up to 2500 concurrent logins (threads) and realistically
response time should be less than 5 seconds. When I run the tests the DB
utilization is low. I have tried the following but response times are still
fairly slow.

1. Add 3 additional keycloak pods to Kubernetes (result: small improvement
in response times)
2. Bump up CPU on keycloak pods (CPU was spiking during tests, but memory
usage fairly low)
3. Investigate Azure App Gateway usage (not an issue)

I'm running out of ideas now, how can I get Keycloak to handle more logins
with better response times? Thanks for any help.

Tim

From andrewm659 at yahoo.com  Wed Mar 27 14:50:52 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Wed, 27 Mar 2019 18:50:52 +0000 (UTC)
Subject: [keycloak-user] keycloak database
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
Message-ID: <901314576.12519564.1553712652555@mail.yahoo.com>

So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
I see a blank database.? Did I miss something?

From andrewm659 at yahoo.com  Wed Mar 27 14:50:52 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Wed, 27 Mar 2019 18:50:52 +0000 (UTC)
Subject: [keycloak-user] keycloak database
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
Message-ID: <901314576.12519564.1553712652555@mail.yahoo.com>

So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
I see a blank database.? Did I miss something?

From andrewm659 at yahoo.com  Wed Mar 27 14:50:52 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Wed, 27 Mar 2019 18:50:52 +0000 (UTC)
Subject: [keycloak-user] keycloak database
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
Message-ID: <901314576.12519564.1553712652555@mail.yahoo.com>

So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
I see a blank database.? Did I miss something?

From ryans at jlab.org  Wed Mar 27 14:52:24 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 18:52:24 +0000
Subject: [keycloak-user] Why duplicate records found for user?
In-Reply-To: <BL0PR0901MB30590725EE915E9E4186069DDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30590725EE915E9E4186069DDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <BL0PR0901MB3059ECD98E3C4B281680F9D2DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

I found some clues by enabling TRACE logging:


./jboss-cli.sh --connect
/subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE)

I then tailed the log file while performing user search.  I see that two LDAP queries are executed.  The first one is look for user by ID.  The second one is look for user by lastname.  What it means is if you have a user who's username and lastname are identical then they show up twice in Keycloak admin web console user search.  The logging looks like:

...
LdapOperation: lookupById
 baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
 filter: (&(objectClass=*)(uid=cuffe))
 searchScope: 1
 returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
took: 61 ms

....

LdapOperation: search
 baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
 filter: (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))
 searchScope: 1
 returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
 resultSize: 1
took: 50 ms
...


I Created an issue ticket:
https://issues.jboss.org/browse/KEYCLOAK-9926

________________________________
From: Ryan Slominski
Sent: Wednesday, March 27, 2019 1:07 PM
To: keycloak-user
Subject: Why duplicate records found for user?

I've noticed this behavior with both Keycloak 4.1.0 and Keycloak 5.0.0: when using admin web interface "Users" search duplicate records are found for some users.   What could possibly be causing this?

I've tried clearing all caches from (Realm Settings > Cache) and I've tried removing imported users (User Federation > ldap storage provider > "Remove Imported" button).  Still seeing duplicates for some users.  Weird.  I've got UUID LDAP attribute set to nsuinqueid with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to same Red Hat Identity Manager instance).  Duplicate users don't seem to be duplicated in LDAP.  Maybe group-ldap-mapper is doing something weird?  Is this due to Brokered Identities?  Or is this just a bug?

From mposolda at redhat.com  Wed Mar 27 15:19:25 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:19:25 +0100
Subject: [keycloak-user] Why duplicate records found for user?
In-Reply-To: <BL0PR0901MB3059ECD98E3C4B281680F9D2DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30590725EE915E9E4186069DDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<BL0PR0901MB3059ECD98E3C4B281680F9D2DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <d76e8b00-f3ac-b27f-919b-530367c6d458@redhat.com>

On 27/03/2019 19:52, Ryan Slominski wrote:
> I found some clues by enabling TRACE logging:
>
>
> ./jboss-cli.sh --connect
> /subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE)
>
> I then tailed the log file while performing user search.  I see that two LDAP queries are executed.  The first one is look for user by ID.  The second one is look for user by lastname.
Yes, you're right. Our current implementation of searching users from 
admin console is trying to lookup users from LDAP based on username and 
lastName. We plan some improvements in admin console around searching 
users(which will include the ability to specify if you want to search by 
username, email, fullName etc rather than having single field when you 
can't specify attributes at all).
> What it means is if you have a user who's username and lastname are identical then they show up twice in Keycloak admin web console user search.  The logging looks like:

I don't think so. It can happen that same user with username "foo" and 
lastName "foo" will be found twice in LDAP due the both queries you 
pointed, however he will be show just once in the admin console.

Marek

>
> ...
> LdapOperation: lookupById
>   baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>   filter: (&(objectClass=*)(uid=cuffe))
>   searchScope: 1
>   returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
> took: 61 ms
>
> ....
>
> LdapOperation: search
>   baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>   filter: (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))
>   searchScope: 1
>   returningAttrs: [uid, givenName, mail, sn, createTimestamp, modifyTimestamp]
>   resultSize: 1
> took: 50 ms
> ...
>
>
> I Created an issue ticket:
> https://issues.jboss.org/browse/KEYCLOAK-9926
>
> ________________________________
> From: Ryan Slominski
> Sent: Wednesday, March 27, 2019 1:07 PM
> To: keycloak-user
> Subject: Why duplicate records found for user?
>
> I've noticed this behavior with both Keycloak 4.1.0 and Keycloak 5.0.0: when using admin web interface "Users" search duplicate records are found for some users.   What could possibly be causing this?
>
> I've tried clearing all caches from (Realm Settings > Cache) and I've tried removing imported users (User Federation > ldap storage provider > "Remove Imported" button).  Still seeing duplicates for some users.  Weird.  I've got UUID LDAP attribute set to nsuinqueid with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to same Red Hat Identity Manager instance).  Duplicate users don't seem to be duplicated in LDAP.  Maybe group-ldap-mapper is doing something weird?  Is this due to Brokered Identities?  Or is this just a bug?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Mar 27 15:22:32 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:22:32 +0100
Subject: [keycloak-user] keycloak database
In-Reply-To: <901314576.12519564.1553712652555@mail.yahoo.com>
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
	<901314576.12519564.1553712652555@mail.yahoo.com>
Message-ID: <1b268cc2-d6f2-114e-b41b-afb8e23dd7ae@redhat.com>

On 27/03/2019 19:50, Andrew Meyer wrote:
> So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
> I see a blank database.? Did I miss something?

Yes, you should see tables in the DB after you start Keycloak and login 
to admin console. If you don't see it, you probably configured the DB 
wrongly or you're looking at some bad place?

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Mar 27 15:24:31 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:24:31 +0100
Subject: [keycloak-user] Why duplicate records found for user?
In-Reply-To: <d76e8b00-f3ac-b27f-919b-530367c6d458@redhat.com>
References: <BL0PR0901MB30590725EE915E9E4186069DDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<BL0PR0901MB3059ECD98E3C4B281680F9D2DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<d76e8b00-f3ac-b27f-919b-530367c6d458@redhat.com>
Message-ID: <f0904cbc-8fa7-d667-066f-dddae3c5a6c1@redhat.com>

On 27/03/2019 20:19, Marek Posolda wrote:
> On 27/03/2019 19:52, Ryan Slominski wrote:
>> I found some clues by enabling TRACE logging:
>>
>>
>> ./jboss-cli.sh --connect
>> /subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE) 
>>
>>
>> I then tailed the log file while performing user search.? I see that 
>> two LDAP queries are executed.? The first one is look for user by 
>> ID.? The second one is look for user by lastname.
> Yes, you're right. Our current implementation of searching users from 
> admin console is trying to lookup users from LDAP based on username 
> and lastName. We plan some improvements in admin console around 
> searching users(which will include the ability to specify if you want 
> to search by username, email, fullName etc rather than having single 
> field when you can't specify attributes at all).
>> What it means is if you have a user who's username and lastname are 
>> identical then they show up twice in Keycloak admin web console user 
>> search.? The logging looks like:
>
> I don't think so. It can happen that same user with username "foo" and 
> lastName "foo" will be found twice in LDAP due the both queries you 
> pointed, however he will be show just once in the admin console.
>
> Marek

Reading your JIRA where you mentioned that you indeed see duplicated 
results in the admin console. So it looks I was wrong...

I guess you have "Import users" disabled? Could you please check with 
"Import users" enabled if you see this behaviour?

Thanks,

Marek

>
>>
>> ...
>> LdapOperation: lookupById
>> ? baseDN: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>> ? filter: (&(objectClass=*)(uid=cuffe))
>> ? searchScope: 1
>> ? returningAttrs: [uid, givenName, mail, sn, createTimestamp, 
>> modifyTimestamp]
>> took: 61 ms
>>
>> ....
>>
>> LdapOperation: search
>> ? baseDn: cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>> ? filter: 
>> (&(sn=cuffe)(objectclass=inetOrgPerson)(objectclass=organizationalPerson))
>> ? searchScope: 1
>> ? returningAttrs: [uid, givenName, mail, sn, createTimestamp, 
>> modifyTimestamp]
>> ? resultSize: 1
>> took: 50 ms
>> ...
>>
>>
>> I Created an issue ticket:
>> https://issues.jboss.org/browse/KEYCLOAK-9926
>>
>> ________________________________
>> From: Ryan Slominski
>> Sent: Wednesday, March 27, 2019 1:07 PM
>> To: keycloak-user
>> Subject: Why duplicate records found for user?
>>
>> I've noticed this behavior with both Keycloak 4.1.0 and Keycloak 
>> 5.0.0: when using admin web interface "Users" search duplicate 
>> records are found for some users.?? What could possibly be causing this?
>>
>> I've tried clearing all caches from (Realm Settings > Cache) and I've 
>> tried removing imported users (User Federation > ldap storage 
>> provider > "Remove Imported" button).? Still seeing duplicates for 
>> some users.? Weird.? I've got UUID LDAP attribute set to nsuinqueid 
>> with keycloak 4.1.0 and to uid with keycloak 5.0.0 (both pointing to 
>> same Red Hat Identity Manager instance).? Duplicate users don't seem 
>> to be duplicated in LDAP.? Maybe group-ldap-mapper is doing something 
>> weird?? Is this due to Brokered Identities?? Or is this just a bug?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From mposolda at redhat.com  Wed Mar 27 15:25:46 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:25:46 +0100
Subject: [keycloak-user] LDAP null uuid Regression?
In-Reply-To: <BL0PR0901MB3059FBCC4BA1ADDAE6CC84D9DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059FBCC4BA1ADDAE6CC84D9DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <d603258b-7ff2-06c4-aa3c-a1a7f9878de4@redhat.com>

I guess you already fixed this based on your other post?

Thanks,
Marek

On 27/03/2019 17:00, Ryan Slominski wrote:
> I'm attempting to setup Keycloak 5.0.0 with Java 11 with a LDAP User Storage Provider, and I am unable to load users into Keycloak.? ?I'm using Red Hat Identity Manager as the LDAP server (which, I believe uses Red Hat Directory Server under the hood).? ?The error in the log file when I navigate to the "Users" menu to try to search for a user is:
>
>
>
>
> 2019-03-27 11:38:54,095 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-15) Uncaught server error: org.keycloak.models.ModelException: User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . Mapped UUID LDAP attribute: nsuniqueid, user DN: uid=ryans,cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>
>  ? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPUtils.checkUuid(LDAPUtils.java:123)
>
>  ? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.importUserFromLDAP(LDAPStorageProvider.java:498)
>
>  ? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:372)
>
>  ? ? ? ? at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:354)
>
>  ? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.lambda$searchForUser$1(UserStorageManager.java:537)
>
>  ? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:505)
>
>  ? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.searchForUser(UserStorageManager.java:535)
>
>  ? ? ? ? at org.keycloak.keycloak-model-infinispan at 5.0.0//org.keycloak.models.cache.infinispan.UserCacheSession.searchForUser(UserCacheSession.java:573)
>
>  ? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:202)
>
>  ? ? ? ? at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>  ? ? ? ? at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>  ? ? ? ? at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>  ? ? ? ? at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
>  ? ? ? ? at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>  ? ? ? ? at javax.servlet.api at 1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
>  ? ? ? ? at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>  ? ? ? ? at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
>  ? ? ? ? at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>
>  ? ? ? ? at io.undertow.core at 2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>
>  ? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>
>  ? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>
>  ? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>
>  ? ? ? ? at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>
>  ? ? ? ? at java.base/java.lang.Thread.run(Thread.java:834)
>
>
>
>
>
> I believe this is a regression since I have this currently working on another server using Keycloak 4.1.0 and Java 8.? As a workaround I can update the "UUID LDAP attribute" from "nsuniqueid" to "uid" and then it works again (I can search for and find users on the Users page).? However, I know the "nsuniqueid" field exists in LDAP and I'm using that field with Keycloak 4.1.0.? ? Should I create an issue ticket for this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Mar 27 15:28:32 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:28:32 +0100
Subject: [keycloak-user] Purpose of proxy_address_forwardinf variable?
In-Reply-To: <CAJKiPVBZ9LJRZQVF7fFhaaRC=wB+sHa-jHzNz+kDj6dmNwEQrg@mail.gmail.com>
References: <CAJKiPVBZ9LJRZQVF7fFhaaRC=wB+sHa-jHzNz+kDj6dmNwEQrg@mail.gmail.com>
Message-ID: <903476dd-c375-ee90-626c-5ef7b92c1c1f@redhat.com>

See docs for more details: 
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses

Marek

On 26/03/2019 21:18, Mike W. wrote:
> Does anyone know what exactly is the purpose of the
> proxy_address_forwarding variable and what are its expected effects once is
> it enabled and added to the http and https listeners in the standalone /
> standalone-ha xml files?
>
> Thanks,
>
> Mike
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Mar 27 15:36:54 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 27 Mar 2019 20:36:54 +0100
Subject: [keycloak-user] Option to disable SPNEGO
In-Reply-To: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <efb74448-3c5d-340c-5553-34b2ecf270be@redhat.com>

On 26/03/2019 21:02, Ryan Slominski wrote:
> With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?
It is not on the Kerberos provider as when you configured "Kerberos" 
provider, there is an assumption that you will want SPNEGO integration.
>
> Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (http://lists.jboss.org/pipermail/keycloak-dev/2015-October/005399.html) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?

There is nothing easier ATM and nothing was done in the end.

I was thinking about another option (maybe it was discussed in the 
thread, but not 100% sure...) to use "prompt=select_account" parameter 
supported by OIDC protocol. The original pupose of the 
"prompt=select_account" is maybe a bit different - it allows you to 
choose the account when you're somehow authenticated to multiple 
accounts. However I can see the usage for the use-cases like SPNEGO or 
X.509 authentication, that when the parameter is used, it will show the 
confirmation screen (aka "Is this you?" screen) where user will confirm 
that he wants to authenticate with his SPNEGO/X509 identity.

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From ryans at jlab.org  Wed Mar 27 15:44:56 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 19:44:56 +0000
Subject: [keycloak-user] LDAP null uuid Regression?
In-Reply-To: <d603258b-7ff2-06c4-aa3c-a1a7f9878de4@redhat.com>
References: <BL0PR0901MB3059FBCC4BA1ADDAE6CC84D9DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<d603258b-7ff2-06c4-aa3c-a1a7f9878de4@redhat.com>
Message-ID: <BL0PR0901MB30593015436548DAD4732280DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

I implemented a work-around, but I can't explain why nsuniqueid no longer works with Red Hat Identity Manager LDAP.  This seems like a regression.  I probably need to create an issue ticket for this.

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Wednesday, March 27, 2019 3:25 PM
To: Ryan Slominski; keycloak-user
Subject: Re: [keycloak-user] LDAP null uuid Regression?

I guess you already fixed this based on your other post?

Thanks,
Marek

On 27/03/2019 17:00, Ryan Slominski wrote:
> I'm attempting to setup Keycloak 5.0.0 with Java 11 with a LDAP User Storage Provider, and I am unable to load users into Keycloak.   I'm using Red Hat Identity Manager as the LDAP server (which, I believe uses Red Hat Directory Server under the hood).   The error in the log file when I navigate to the "Users" menu to try to search for a user is:
>
>
>
>
> 2019-03-27 11:38:54,095 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-15) Uncaught server error: org.keycloak.models.ModelException: User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . Mapped UUID LDAP attribute: nsuniqueid, user DN: uid=ryans,cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPUtils.checkUuid(LDAPUtils.java:123)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.importUserFromLDAP(LDAPStorageProvider.java:498)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:372)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:354)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.lambda$searchForUser$1(UserStorageManager.java:537)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:505)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.searchForUser(UserStorageManager.java:535)
>
>          at org.keycloak.keycloak-model-infinispan at 5.0.0//org.keycloak.models.cache.infinispan.UserCacheSession.searchForUser(UserCacheSession.java:573)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:202)
>
>          at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>          at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>          at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>          at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>          at javax.servlet.api at 1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>
>          at java.base/java.lang.Thread.run(Thread.java:834)
>
>
>
>
>
> I believe this is a regression since I have this currently working on another server using Keycloak 4.1.0 and Java 8.  As a workaround I can update the "UUID LDAP attribute" from "nsuniqueid" to "uid" and then it works again (I can search for and find users on the Users page).  However, I know the "nsuniqueid" field exists in LDAP and I'm using that field with Keycloak 4.1.0.    Should I create an issue ticket for this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7Cd591b117f7754cbd167a08d6b2ea052c%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893115525492596&amp;sdata=BkxYaKHrQFWxzeAKeRRaCZOt6ZEEVEGnP2jM8OSDd3o%3D&amp;reserved=0



From ryans at jlab.org  Wed Mar 27 15:55:37 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 19:55:37 +0000
Subject: [keycloak-user] Option to disable SPNEGO
In-Reply-To: <efb74448-3c5d-340c-5553-34b2ecf270be@redhat.com>
References: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<efb74448-3c5d-340c-5553-34b2ecf270be@redhat.com>
Message-ID: <BL0PR0901MB3059A5CD27024D9C931C7AB6DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

The OIDC protocol "prompt=select_account" looks very interesting.  I think this would be sufficient for handling "switch user".

It actually look like "select account" is more sophisticated than "switch user" as it supports multiple users simultaneously and you choose a primary account. With switch user it is simply the ability to choose which user is logged in, but not necessarily more than one at a time.  The fact "select account" is an OIDC standard makes it very appealing.

It seems one of the Keycloak competitors has this:

https://connect2id.com/products/server/docs/guides/select-account

Is there an issue ticket for this already?
________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Wednesday, March 27, 2019 3:36 PM
To: Ryan Slominski; keycloak-user
Subject: Re: [keycloak-user] Option to disable SPNEGO

On 26/03/2019 21:02, Ryan Slominski wrote:
> With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?
It is not on the Kerberos provider as when you configured "Kerberos"
provider, there is an assumption that you will want SPNEGO integration.
>
> Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-dev%2F2015-October%2F005399.html&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=bR8w8t8%2FLT8Bfp6Oy%2BS9b5VMoKOLukVWsasAJ3CCoKI%3D&amp;reserved=0) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?

There is nothing easier ATM and nothing was done in the end.

I was thinking about another option (maybe it was discussed in the
thread, but not 100% sure...) to use "prompt=select_account" parameter
supported by OIDC protocol. The original pupose of the
"prompt=select_account" is maybe a bit different - it allows you to
choose the account when you're somehow authenticated to multiple
accounts. However I can see the usage for the use-cases like SPNEGO or
X.509 authentication, that when the parameter is used, it will show the
confirmation screen (aka "Is this you?" screen) where user will confirm
that he wants to authenticate with his SPNEGO/X509 identity.

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=huRxdoPbDPtyBayZDCaE2jv3H8jPxSHqwL8utg5KoWo%3D&amp;reserved=0



From tswiftma at gmail.com  Wed Mar 27 16:33:37 2019
From: tswiftma at gmail.com (Tim Swift)
Date: Wed, 27 Mar 2019 16:33:37 -0400
Subject: [keycloak-user] Load testing and performance
Message-ID: <CABV+=w=Dv_2b2qCPg7uBA=493XpiXUZZjPyOH6DmVz8bXvH-vw@mail.gmail.com>

Hi Thelo,

I was wondering if you ever got Keycloak to the performance login level
that you needed it. I have a similar setup using Docker/Kubernetes/Azure

- 4 pod instances of Keycloak (2 CPUs, 1.2 GB memory each)

- 1 Postgres DB in Azure with 4 vCores, 500 connections max

Ran a 400 thread JMeter load test to measure response time of POST login to
/auth/realms/(domain)/login-actions

Results were around 35 logins per second (14098 logins in 400 seconds)

Thanks,


Tim

From ryans at jlab.org  Wed Mar 27 16:35:30 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 20:35:30 +0000
Subject: [keycloak-user] Option to disable SPNEGO
In-Reply-To: <BL0PR0901MB3059A5CD27024D9C931C7AB6DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<efb74448-3c5d-340c-5553-34b2ecf270be@redhat.com>,
	<BL0PR0901MB3059A5CD27024D9C931C7AB6DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <BL0PR0901MB3059F94924A149CE1E5B7EFFDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

Ticket created:

https://issues.jboss.org/browse/KEYCLOAK-9927
________________________________
From: Ryan Slominski
Sent: Wednesday, March 27, 2019 3:55 PM
To: Marek Posolda; keycloak-user
Subject: Re: [keycloak-user] Option to disable SPNEGO

The OIDC protocol "prompt=select_account" looks very interesting.  I think this would be sufficient for handling "switch user".

It actually look like "select account" is more sophisticated than "switch user" as it supports multiple users simultaneously and you choose a primary account. With switch user it is simply the ability to choose which user is logged in, but not necessarily more than one at a time.  The fact "select account" is an OIDC standard makes it very appealing.

It seems one of the Keycloak competitors has this:

https://connect2id.com/products/server/docs/guides/select-account

Is there an issue ticket for this already?
________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Wednesday, March 27, 2019 3:36 PM
To: Ryan Slominski; keycloak-user
Subject: Re: [keycloak-user] Option to disable SPNEGO

On 26/03/2019 21:02, Ryan Slominski wrote:
> With the "LDAP" User Storage Provider you can configure authentication with a Kerberos password, but disable SPENGO.  The admin web interface labels this "Allow Kerberos Authentication" (seems like a bad label).  However, with the "Kerberos" User Storage Provider there is no such option.  Is there a reason, or can this be added?
It is not on the Kerberos provider as when you configured "Kerberos"
provider, there is an assumption that you will want SPNEGO integration.
>
> Going a step further, the option to request SPENGO be disabled via url parameter (regardless of LDAP vs Kerberos User Storage Provider) was discussed years ago (https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-dev%2F2015-October%2F005399.html&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=bR8w8t8%2FLT8Bfp6Oy%2BS9b5VMoKOLukVWsasAJ3CCoKI%3D&amp;reserved=0) with no resolution.   Where are we with this?   Either the parameter approach or some sort of support for "Switch User" would be appreciated because it is very tricky to accommodate with the current API.  Currently I'm using a brokered identity provider which is a duplicate of the primary realm minus SPNEGO support.  Then client applications are coded with a "switch user" link that uses the idp_hint parameter to indicate the special su brokered realm be used.   Seems unnecessarily complex.    Maybe I'm missing something easier?

There is nothing easier ATM and nothing was done in the end.

I was thinking about another option (maybe it was discussed in the
thread, but not 100% sure...) to use "prompt=select_account" parameter
supported by OIDC protocol. The original pupose of the
"prompt=select_account" is maybe a bit different - it allows you to
choose the account when you're somehow authenticated to multiple
accounts. However I can see the usage for the use-cases like SPNEGO or
X.509 authentication, that when the parameter is used, it will show the
confirmation screen (aka "Is this you?" screen) where user will confirm
that he wants to authenticate with his SPNEGO/X509 identity.

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=huRxdoPbDPtyBayZDCaE2jv3H8jPxSHqwL8utg5KoWo%3D&amp;reserved=0



From andrewm659 at yahoo.com  Wed Mar 27 17:06:51 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Wed, 27 Mar 2019 21:06:51 +0000 (UTC)
Subject: [keycloak-user] keycloak database
In-Reply-To: <1b268cc2-d6f2-114e-b41b-afb8e23dd7ae@redhat.com>
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
	<901314576.12519564.1553712652555@mail.yahoo.com>
	<1b268cc2-d6f2-114e-b41b-afb8e23dd7ae@redhat.com>
Message-ID: <1054573653.12556125.1553720811869@mail.yahoo.com>

Hmm...here is what my database config looks like.
Welcome to the MariaDB monitor.? Commands end with ; or \g.Your MariaDB connection id is 48002Server version: 10.1.38-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keycloak;Database changedMariaDB [keycloak]> SELECT @@character_set_database, @@collation_database;+--------------------------+----------------------+| @@character_set_database | @@collation_database |+--------------------------+----------------------+| utf8? ? ? ? ? ? ? ? ? ? ?| utf8_unicode_ci? ? ? |+--------------------------+----------------------+1 row in set (0.00 sec)
MariaDB [keycloak]>?
Is there something else I need to do to populate the database?

Sent from Yahoo Mail on Android 
 
  On Wed, Mar 27, 2019 at 2:22 PM, Marek Posolda<mposolda at redhat.com> wrote:   On 27/03/2019 19:50, Andrew Meyer wrote:
> So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
> I see a blank database.? Did I miss something?

Yes, you should see tables in the DB after you start Keycloak and login 
to admin console. If you don't see it, you probably configured the DB 
wrongly or you're looking at some bad place?

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


  

From ryans at jlab.org  Wed Mar 27 17:20:46 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 27 Mar 2019 21:20:46 +0000
Subject: [keycloak-user] LDAP null uuid Regression?
In-Reply-To: <BL0PR0901MB30593015436548DAD4732280DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059FBCC4BA1ADDAE6CC84D9DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<d603258b-7ff2-06c4-aa3c-a1a7f9878de4@redhat.com>,
	<BL0PR0901MB30593015436548DAD4732280DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <BL0PR0901MB305994A4C130810688BE7A50DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>

Ticket created: https://issues.jboss.org/browse/KEYCLOAK-9928
________________________________
From: Ryan Slominski
Sent: Wednesday, March 27, 2019 3:44 PM
To: Marek Posolda; keycloak-user
Subject: Re: [keycloak-user] LDAP null uuid Regression?

I implemented a work-around, but I can't explain why nsuniqueid no longer works with Red Hat Identity Manager LDAP.  This seems like a regression.  I probably need to create an issue ticket for this.

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Wednesday, March 27, 2019 3:25 PM
To: Ryan Slominski; keycloak-user
Subject: Re: [keycloak-user] LDAP null uuid Regression?

I guess you already fixed this based on your other post?

Thanks,
Marek

On 27/03/2019 17:00, Ryan Slominski wrote:
> I'm attempting to setup Keycloak 5.0.0 with Java 11 with a LDAP User Storage Provider, and I am unable to load users into Keycloak.   I'm using Red Hat Identity Manager as the LDAP server (which, I believe uses Red Hat Directory Server under the hood).   The error in the log file when I navigate to the "Users" menu to try to search for a user is:
>
>
>
>
> 2019-03-27 11:38:54,095 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-15) Uncaught server error: org.keycloak.models.ModelException: User returned from LDAP has null uuid! Check configuration of your LDAP settings. UUID Attribute must be unique among your LDAP records and available on all the LDAP user records. If your LDAP server really doesn't support the notion of UUID, you can use any other attribute, which is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN' . Mapped UUID LDAP attribute: nsuniqueid, user DN: uid=ryans,cn=users,cn=accounts,dc=acc,dc=jlab,dc=org
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPUtils.checkUuid(LDAPUtils.java:123)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.importUserFromLDAP(LDAPStorageProvider.java:498)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:372)
>
>          at org.keycloak.keycloak-ldap-federation at 5.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.searchForUser(LDAPStorageProvider.java:354)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.lambda$searchForUser$1(UserStorageManager.java:537)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:505)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.storage.UserStorageManager.searchForUser(UserStorageManager.java:535)
>
>          at org.keycloak.keycloak-model-infinispan at 5.0.0//org.keycloak.models.cache.infinispan.UserCacheSession.searchForUser(UserCacheSession.java:573)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:202)
>
>          at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>          at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>          at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>          at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
>          at org.jboss.resteasy.resteasy-jaxrs at 3.6.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>          at javax.servlet.api at 1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
>          at org.keycloak.keycloak-services at 5.0.0//org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at org.wildfly.extension.undertow at 15.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
>          at io.undertow.servlet at 2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>
>          at io.undertow.core at 2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>
>          at org.jboss.threads at 2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>
>          at java.base/java.lang.Thread.run(Thread.java:834)
>
>
>
>
>
> I believe this is a regression since I have this currently working on another server using Keycloak 4.1.0 and Java 8.  As a workaround I can update the "UUID LDAP attribute" from "nsuniqueid" to "uid" and then it works again (I can search for and find users on the Users page).  However, I know the "nsuniqueid" field exists in LDAP and I'm using that field with Keycloak 4.1.0.    Should I create an issue ticket for this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7Cd591b117f7754cbd167a08d6b2ea052c%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893115525492596&amp;sdata=BkxYaKHrQFWxzeAKeRRaCZOt6ZEEVEGnP2jM8OSDd3o%3D&amp;reserved=0



From andrewm659 at yahoo.com  Wed Mar 27 20:24:00 2019
From: andrewm659 at yahoo.com (Andrew Meyer)
Date: Thu, 28 Mar 2019 00:24:00 +0000 (UTC)
Subject: [keycloak-user] keycloak database
In-Reply-To: <1054573653.12556125.1553720811869@mail.yahoo.com>
References: <901314576.12519564.1553712652555.ref@mail.yahoo.com>
	<901314576.12519564.1553712652555@mail.yahoo.com>
	<1b268cc2-d6f2-114e-b41b-afb8e23dd7ae@redhat.com>
	<1054573653.12556125.1553720811869@mail.yahoo.com>
Message-ID: <1230589303.12699835.1553732640189@mail.yahoo.com>

 I found my problem:
2019-03-27 15:29:53,192 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([? ? ("subsystem" => "datasources"),? ? ("data-source" => "Keycloak1DS")]) - failure description: {? ? "WFLYCTL0412: Required services that are not installed:" => [? ? ? ? "jboss.jdbc-driver.mysql",? ? ? ? "jboss.jdbc-driver.mysql"? ? ],? ? "WFLYCTL0180: Services with missing/unavailable dependencies" => [? ? ? ? "jboss.driver-demander.java:jboss/datasources/mysqlDS is missing [jboss.jdbc-driver.mysql]",? ? ? ? "org.wildfly.data-source.Keycloak1DS is missing [jboss.jdbc-driver.mysql]",? ? ? ? "org.wildfly.data-source.Keycloak1DS is missing [jboss.jdbc-driver.mysql]"? ? ]}


I don't understand why i'm getting this error.? The driver is there.
    On Wednesday, March 27, 2019, 4:06:51 PM CDT, Andrew Meyer <andrewm659 at yahoo.com> wrote:  
 
 Hmm...here is what my database config looks like.
Welcome to the MariaDB monitor.? Commands end with ; or \g.Your MariaDB connection id is 48002Server version: 10.1.38-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keycloak;Database changedMariaDB [keycloak]> SELECT @@character_set_database, @@collation_database;+--------------------------+----------------------+| @@character_set_database | @@collation_database |+--------------------------+----------------------+| utf8? ? ? ? ? ? ? ? ? ? ?| utf8_unicode_ci? ? ? |+--------------------------+----------------------+1 row in set (0.00 sec)
MariaDB [keycloak]>?
Is there something else I need to do to populate the database?

Sent from Yahoo Mail on Android 
 
  On Wed, Mar 27, 2019 at 2:22 PM, Marek Posolda<mposolda at redhat.com> wrote:   On 27/03/2019 19:50, Andrew Meyer wrote:
> So I've created the keycloak database, but when I login to the admin side and set it all up should there be any other databases/tables that get added to MariaDB/MySQL/ or PostGreSQL?
> I see a blank database.? Did I miss something?

Yes, you should see tables in the DB after you start Keycloak and login 
to admin console. If you don't see it, you probably configured the DB 
wrongly or you're looking at some bad place?

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


  
  

From gary at apnic.net  Thu Mar 28 01:13:47 2019
From: gary at apnic.net (Gary Kennedy)
Date: Thu, 28 Mar 2019 05:13:47 +0000
Subject: [keycloak-user] Getting auth request params in script mapper?
Message-ID: <CF5CD404-C3C4-469B-A4AA-6F5B85265480@apnic.net>

Looking at the AuthorizationEndpoint class I notice that additional authorization request parameters are put in the authentication session client notes.
(https://github.com/keycloak/keycloak/blob/4.8.2.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java#L379)

I would like to work with those request parameters in a (preferably script) mapper to put calculated claims into the access token however I can't seem to find them.

Does anyone have any ideas/thoughts on how I can use the authorization request parameters to put claims into tokens?
Preferably without code customisation/provider; but that's a restriction I can break if needed :)

I thought this would work, but the only note is the issuer ("iss").

    userSession.getAuthenticatedClientSessionByClient(keycloakSession.getContext().getClient().getId()).getNotes();

Cheers,
Gary

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190328/87a41c2e/attachment.bin 

From mposolda at redhat.com  Thu Mar 28 04:05:27 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 28 Mar 2019 09:05:27 +0100
Subject: [keycloak-user] Option to disable SPNEGO
In-Reply-To: <BL0PR0901MB3059F94924A149CE1E5B7EFFDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059A7BF1F7CFDFF39261707DC5F0@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<efb74448-3c5d-340c-5553-34b2ecf270be@redhat.com>
	<BL0PR0901MB3059A5CD27024D9C931C7AB6DC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<BL0PR0901MB3059F94924A149CE1E5B7EFFDC580@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <faef5d81-d4a6-37c4-0313-dbbc9c62433f@redhat.com>

Thanks for the JIRA.

Marek

On 27/03/2019 21:35, Ryan Slominski wrote:
> Ticket created:
>
> https://issues.jboss.org/browse/KEYCLOAK-9927
> ------------------------------------------------------------------------
> *From:* Ryan Slominski
> *Sent:* Wednesday, March 27, 2019 3:55 PM
> *To:* Marek Posolda; keycloak-user
> *Subject:* Re: [keycloak-user] Option to disable SPNEGO
> The OIDC protocol "prompt=select_account" looks very interesting.? I 
> think this would be sufficient for handling "switch user".
>
> It actually look like "select account" is more sophisticated than 
> "switch user" as it supports multiple users simultaneously and you 
> choose a primary account.?With switch user it is simply the ability to 
> choose which user is logged in, but not necessarily more than one at a 
> time.? The fact "select account" is an OIDC standard makes it very 
> appealing.
>
> It seems one of the Keycloak competitors has this:
>
> https://connect2id.com/products/server/docs/guides/select-account
>
> Is there an issue ticket for this already?
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *Sent:* Wednesday, March 27, 2019 3:36 PM
> *To:* Ryan Slominski; keycloak-user
> *Subject:* Re: [keycloak-user] Option to disable SPNEGO
> On 26/03/2019 21:02, Ryan Slominski wrote:
> > With the "LDAP" User Storage Provider you can configure 
> authentication with a Kerberos password, but disable SPENGO.? The 
> admin web interface labels this "Allow Kerberos Authentication" (seems 
> like a bad label).? However, with the "Kerberos" User Storage Provider 
> there is no such option.? Is there a reason, or can this be added?
> It is not on the Kerberos provider as when you configured "Kerberos"
> provider, there is an assumption that you will want SPNEGO integration.
> >
> > Going a step further, the option to request SPENGO be disabled via 
> url parameter (regardless of LDAP vs Kerberos User Storage Provider) 
> was discussed years ago 
> (https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.jboss.org%2Fpipermail%2Fkeycloak-dev%2F2015-October%2F005399.html&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=bR8w8t8%2FLT8Bfp6Oy%2BS9b5VMoKOLukVWsasAJ3CCoKI%3D&amp;reserved=0) 
> with no resolution.?? Where are we with this??? Either the parameter 
> approach or some sort of support for "Switch User" would be 
> appreciated because it is very tricky to accommodate with the current 
> API.? Currently I'm using a brokered identity provider which is a 
> duplicate of the primary realm minus SPNEGO support. Then client 
> applications are coded with a "switch user" link that uses the 
> idp_hint parameter to indicate the special su brokered realm be 
> used.?? Seems unnecessarily complex.??? Maybe I'm missing something 
> easier?
>
> There is nothing easier ATM and nothing was done in the end.
>
> I was thinking about another option (maybe it was discussed in the
> thread, but not 100% sure...) to use "prompt=select_account" parameter
> supported by OIDC protocol. The original pupose of the
> "prompt=select_account" is maybe a bit different - it allows you to
> choose the account when you're somehow authenticated to multiple
> accounts. However I can see the usage for the use-cases like SPNEGO or
> X.509 authentication, that when the parameter is used, it will show the
> confirmation screen (aka "Is this you?" screen) where user will confirm
> that he wants to authenticate with his SPNEGO/X509 identity.
>
> Marek
>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > 
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cryans%40jlab.org%7C9e96bb7576494bd6e90e08d6b2eb9612%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636893122238064707&amp;sdata=huRxdoPbDPtyBayZDCaE2jv3H8jPxSHqwL8utg5KoWo%3D&amp;reserved=0
>
>


From vramik at redhat.com  Thu Mar 28 05:32:59 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 28 Mar 2019 10:32:59 +0100
Subject: [keycloak-user] Problem with Github Identity Provider
In-Reply-To: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>
References: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>
Message-ID: <92f9f13d-fc78-7248-3931-b2084eac034c@redhat.com>

Hey Peter,

I'd start at 
https://www.keycloak.org/docs/latest/server_admin/index.html#github and 
try to create the idp from scratch and see if it works or not and why.

Regards,

V.

On 3/27/19 11:17 AM, Peter Braun wrote:
> Hey everyone,
>
> i'm having trouble with the Github Identity Provider in Keycloak 4 (using
> RH-SSO 7.3) where it was working fine with Keycloak 3 (RH-SSO 7.2). Realm,
> Client and Provider are configured in the same way but login fails and I
> get this error in the logs:
>
> *09:14:19,823 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-71)
> Failed to make identity provider oauth callback:
> org.keycloak.broker.provider.IdentityBrokerException: No access token
> available in OAuth server response:
> {"error":"unauthorized_client","error_description":"The client is not
> authorized to request a token using this method."}*
>
> I've already checked that the credentials are correct and that the realm,
> client and idp settings are similar to the Keycloak 3 instance. Any Idea
> where to best start looking?
>
>
> Regards,
> Peter
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pbraun at redhat.com  Thu Mar 28 06:06:44 2019
From: pbraun at redhat.com (Peter Braun)
Date: Thu, 28 Mar 2019 11:06:44 +0100
Subject: [keycloak-user] Problem with Github Identity Provider
In-Reply-To: <92f9f13d-fc78-7248-3931-b2084eac034c@redhat.com>
References: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>
	<92f9f13d-fc78-7248-3931-b2084eac034c@redhat.com>
Message-ID: <CA+jftcHU8jj=DDaNP_Q_HFJeMsR-4oXs-WAgmvNVaYrPam5K8w@mail.gmail.com>

Hey Vlasta,

thanks for your reply. I tried recreating the IDP from scratch but it
resulted in the same error. Wondering if there is any change in the
behaviour between Keycloak 3 and 4 that could cause this? I noticed that
Keacloak 4 has a lot more settings, but unsure which one could trigger the
oauth token request to fail.


Regards,
Peter

On Thu, Mar 28, 2019 at 10:33 AM Vlasta Ramik <vramik at redhat.com> wrote:

> Hey Peter,
>
> I'd start at
> https://www.keycloak.org/docs/latest/server_admin/index.html#github and
> try to create the idp from scratch and see if it works or not and why.
>
> Regards,
>
> V.
>
> On 3/27/19 11:17 AM, Peter Braun wrote:
> > Hey everyone,
> >
> > i'm having trouble with the Github Identity Provider in Keycloak 4 (using
> > RH-SSO 7.3) where it was working fine with Keycloak 3 (RH-SSO 7.2).
> Realm,
> > Client and Provider are configured in the same way but login fails and I
> > get this error in the logs:
> >
> > *09:14:19,823 ERROR
> > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
> task-71)
> > Failed to make identity provider oauth callback:
> > org.keycloak.broker.provider.IdentityBrokerException: No access token
> > available in OAuth server response:
> > {"error":"unauthorized_client","error_description":"The client is not
> > authorized to request a token using this method."}*
> >
> > I've already checked that the credentials are correct and that the realm,
> > client and idp settings are similar to the Keycloak 3 instance. Any Idea
> > where to best start looking?
> >
> >
> > Regards,
> > Peter
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vramik at redhat.com  Thu Mar 28 06:35:49 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Thu, 28 Mar 2019 11:35:49 +0100
Subject: [keycloak-user] Problem with Github Identity Provider
In-Reply-To: <CA+jftcHU8jj=DDaNP_Q_HFJeMsR-4oXs-WAgmvNVaYrPam5K8w@mail.gmail.com>
References: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>
	<92f9f13d-fc78-7248-3931-b2084eac034c@redhat.com>
	<CA+jftcHU8jj=DDaNP_Q_HFJeMsR-4oXs-WAgmvNVaYrPam5K8w@mail.gmail.com>
Message-ID: <cd3edda2-356a-1edb-2819-2240638a27c6@redhat.com>

Then it's probably worth to create a ticket to 
https://issues.jboss.org/browse/KEYCLOAK

Thanks,

V.

On 3/28/19 11:06 AM, Peter Braun wrote:
> Hey Vlasta,
>
> thanks for your reply. I tried recreating the IDP from scratch but it 
> resulted in the same error. Wondering if there is any change in the 
> behaviour between Keycloak 3 and 4 that could cause this? I noticed 
> that Keacloak 4 has a lot more settings, but unsure which one could 
> trigger the oauth token request to fail.
>
>
> Regards,
> Peter
>
> On Thu, Mar 28, 2019 at 10:33 AM Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     Hey Peter,
>
>     I'd start at
>     https://www.keycloak.org/docs/latest/server_admin/index.html#github
>     and
>     try to create the idp from scratch and see if it works or not and why.
>
>     Regards,
>
>     V.
>
>     On 3/27/19 11:17 AM, Peter Braun wrote:
>     > Hey everyone,
>     >
>     > i'm having trouble with the Github Identity Provider in Keycloak
>     4 (using
>     > RH-SSO 7.3) where it was working fine with Keycloak 3 (RH-SSO
>     7.2). Realm,
>     > Client and Provider are configured in the same way but login
>     fails and I
>     > get this error in the logs:
>     >
>     > *09:14:19,823 ERROR
>     > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>     (default task-71)
>     > Failed to make identity provider oauth callback:
>     > org.keycloak.broker.provider.IdentityBrokerException: No access
>     token
>     > available in OAuth server response:
>     > {"error":"unauthorized_client","error_description":"The client
>     is not
>     > authorized to request a token using this method."}*
>     >
>     > I've already checked that the credentials are correct and that
>     the realm,
>     > client and idp settings are similar to the Keycloak 3 instance.
>     Any Idea
>     > where to best start looking?
>     >
>     >
>     > Regards,
>     > Peter
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pbraun at redhat.com  Thu Mar 28 07:40:56 2019
From: pbraun at redhat.com (Peter Braun)
Date: Thu, 28 Mar 2019 12:40:56 +0100
Subject: [keycloak-user] Problem with Github Identity Provider
In-Reply-To: <cd3edda2-356a-1edb-2819-2240638a27c6@redhat.com>
References: <CA+jftcG92zTML7taAPqo-O_=dkfZBTembh4Mxo=JajGY=spRPQ@mail.gmail.com>
	<92f9f13d-fc78-7248-3931-b2084eac034c@redhat.com>
	<CA+jftcHU8jj=DDaNP_Q_HFJeMsR-4oXs-WAgmvNVaYrPam5K8w@mail.gmail.com>
	<cd3edda2-356a-1edb-2819-2240638a27c6@redhat.com>
Message-ID: <CA+jftcHi6FbYSyJgXt5e10Hanks8KF49foscKD9RY2t=4Vx6WA@mail.gmail.com>

Done: https://issues.jboss.org/browse/KEYCLOAK-9931

On Thu, Mar 28, 2019 at 11:35 AM Vlasta Ramik <vramik at redhat.com> wrote:

> Then it's probably worth to create a ticket to
> https://issues.jboss.org/browse/KEYCLOAK
>
> Thanks,
>
> V.
> On 3/28/19 11:06 AM, Peter Braun wrote:
>
> Hey Vlasta,
>
> thanks for your reply. I tried recreating the IDP from scratch but it
> resulted in the same error. Wondering if there is any change in the
> behaviour between Keycloak 3 and 4 that could cause this? I noticed that
> Keacloak 4 has a lot more settings, but unsure which one could trigger the
> oauth token request to fail.
>
>
> Regards,
> Peter
>
> On Thu, Mar 28, 2019 at 10:33 AM Vlasta Ramik <vramik at redhat.com> wrote:
>
>> Hey Peter,
>>
>> I'd start at
>> https://www.keycloak.org/docs/latest/server_admin/index.html#github and
>> try to create the idp from scratch and see if it works or not and why.
>>
>> Regards,
>>
>> V.
>>
>> On 3/27/19 11:17 AM, Peter Braun wrote:
>> > Hey everyone,
>> >
>> > i'm having trouble with the Github Identity Provider in Keycloak 4
>> (using
>> > RH-SSO 7.3) where it was working fine with Keycloak 3 (RH-SSO 7.2).
>> Realm,
>> > Client and Provider are configured in the same way but login fails and I
>> > get this error in the logs:
>> >
>> > *09:14:19,823 ERROR
>> > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
>> task-71)
>> > Failed to make identity provider oauth callback:
>> > org.keycloak.broker.provider.IdentityBrokerException: No access token
>> > available in OAuth server response:
>> > {"error":"unauthorized_client","error_description":"The client is not
>> > authorized to request a token using this method."}*
>> >
>> > I've already checked that the credentials are correct and that the
>> realm,
>> > client and idp settings are similar to the Keycloak 3 instance. Any Idea
>> > where to best start looking?
>> >
>> >
>> > Regards,
>> > Peter
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From Michael.Kebe at hkm.de  Thu Mar 28 09:45:35 2019
From: Michael.Kebe at hkm.de (Michael Kebe)
Date: Thu, 28 Mar 2019 13:45:35 +0000
Subject: [keycloak-user] Backchannel logout for multiple webapps using a
 single opendid-connect client
Message-ID: <20190328-144545.13nldvkcw-2uk@mailcc14>

Hi mailinglist,

is it possible to get backchannel logout working with a single openid-connect client, which is used by multiple webapps?

To get backchannel logout working for a single webapp I had to set the Admin URL to a specific URL of one webapp.

I expected that Keycloak stores from where the session is initiated and knows where the backchannel logout has to be sent to.

I could create for each webapp a specific client and set the Admin URL accordingly, but that is too much configuration work for over 100 webapps.

Do I misunderstand the public Access Type?

Michael



H?ttenwerke Krupp Mannesmann GmbH, Ehinger Str. 200, D-47259 Duisburg
Gesch?ftsf?hrung: Dr. Herbert Eichelkraut, Dr. Gerhard Erdmann, Carsten Laakmann
Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. Heinz J?rg Fuhrmann
Sitz der Gesellschaft: Duisburg
Eintragung im Handelsregister: Amtsgericht Duisburg HRB 4716
http://www.hkm.de

From lemso at free.fr  Thu Mar 28 09:49:22 2019
From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=)
Date: Thu, 28 Mar 2019 14:49:22 +0100
Subject: [keycloak-user] Display issue in user groups tab
Message-ID: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>

Hi,

Current version of Keycloak is 4.8.3.Final

When I click on the groups tab of any user in any realm I've got the bellow
display issue.

Anybody already got this?

Regards,
Lamine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: groups selection.png
Type: image/png
Size: 10740 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190328/07fd693c/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: groups tab.png
Type: image/png
Size: 157331 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190328/07fd693c/attachment-0003.png 

From ryans at jlab.org  Thu Mar 28 10:24:30 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Thu, 28 Mar 2019 14:24:30 +0000
Subject: [keycloak-user]  Display issue in user groups tab
Message-ID: <BL0PR0901MB3059F87F6082F2C57CD93042DC590@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm not seeing that issue.  Do you have localization enabled or anything else configured to a non-default value?
Any unusual messages in the log file?  You can enable trace logging with:


./jboss-cli.sh --connect
/subsystem=logging/logger=org.keycloak/:add(category=org.keycloak,level=TRACE)


If starting from a clean install of Keycloak begin adding your configuration changes until the problem occurs and then we
will have found the cause.

From masseoudghassen12 at gmail.com  Thu Mar 28 10:25:49 2019
From: masseoudghassen12 at gmail.com (Masseoud Ghassen)
Date: Thu, 28 Mar 2019 15:25:49 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <CADSartdWACg4KsbKxEu2s-5=p_sU259GDhPycA2ZPfpn1fah9Q@mail.gmail.com>

-- 
Cordialement ;
MASSEOUD Ghassen  99402944
Mast?re en s?curit? r?seaux et service

From bruno at abstractj.org  Thu Mar 28 10:42:55 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 28 Mar 2019 11:42:55 -0300
Subject: [keycloak-user] Display issue in user groups tab
In-Reply-To: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
References: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
Message-ID: <CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>

Hmmm I don't see that. What do you have at your server logs?

On Thu, Mar 28, 2019 at 10:50 AM Lamine L?o Keita <lemso at free.fr> wrote:
>
> Hi,
>
> Current version of Keycloak is 4.8.3.Final
>
> When I click on the groups tab of any user in any realm I've got the bellow
> display issue.
>
> Anybody already got this?
>
> Regards,
> Lamine
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


From lemso at free.fr  Thu Mar 28 12:30:06 2019
From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=)
Date: Thu, 28 Mar 2019 17:30:06 +0100
Subject: [keycloak-user] Display issue in user groups tab
In-Reply-To: <CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>
References: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
	<CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>
Message-ID: <CALBYMMLqXohNWAYJsYXcm6oi5QNbeu+A9rSRgx9_FgC2XS+hjw@mail.gmail.com>

Hi Bruno,

Thx for your reactivity!

In logs I've got nothing particular as all data are received when clicking
on user id to see it details ....

Iwill try to set log level to debug to see if I can have more logs....

Regards,
Lamine

On Thu, Mar 28, 2019 at 3:42 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Hmmm I don't see that. What do you have at your server logs?
>
> On Thu, Mar 28, 2019 at 10:50 AM Lamine L?o Keita <lemso at free.fr> wrote:
> >
> > Hi,
> >
> > Current version of Keycloak is 4.8.3.Final
> >
> > When I click on the groups tab of any user in any realm I've got the
> bellow
> > display issue.
> >
> > Anybody already got this?
> >
> > Regards,
> > Lamine
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> - abstractj
>

From bruno at abstractj.org  Thu Mar 28 13:24:21 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 28 Mar 2019 14:24:21 -0300
Subject: [keycloak-user] Display issue in user groups tab
In-Reply-To: <CALBYMMLqXohNWAYJsYXcm6oi5QNbeu+A9rSRgx9_FgC2XS+hjw@mail.gmail.com>
References: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
	<CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>
	<CALBYMMLqXohNWAYJsYXcm6oi5QNbeu+A9rSRgx9_FgC2XS+hjw@mail.gmail.com>
Message-ID: <CAM5SUC7K3apdxJhXZcBvT0z=pj7vT2dz25yobosiT6hhEPk31g@mail.gmail.com>

Also try to look at the Web browser console. The more details you
provide, the better to figure out if there's something wrong.

On Thu, Mar 28, 2019 at 1:30 PM Lamine L?o Keita <lemso at free.fr> wrote:
>
> Hi Bruno,
>
> Thx for your reactivity!
>
> In logs I've got nothing particular as all data are received when clicking on user id to see it details ....
>
> Iwill try to set log level to debug to see if I can have more logs....
>
> Regards,
> Lamine
>
> On Thu, Mar 28, 2019 at 3:42 PM Bruno Oliveira <bruno at abstractj.org> wrote:
>>
>> Hmmm I don't see that. What do you have at your server logs?
>>
>> On Thu, Mar 28, 2019 at 10:50 AM Lamine L?o Keita <lemso at free.fr> wrote:
>> >
>> > Hi,
>> >
>> > Current version of Keycloak is 4.8.3.Final
>> >
>> > When I click on the groups tab of any user in any realm I've got the bellow
>> > display issue.
>> >
>> > Anybody already got this?
>> >
>> > Regards,
>> > Lamine
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>> - abstractj



-- 
- abstractj


From leandronunes85 at gmail.com  Thu Mar 28 13:26:47 2019
From: leandronunes85 at gmail.com (Leandro Nunes)
Date: Thu, 28 Mar 2019 17:26:47 +0000
Subject: [keycloak-user] User federation in KC 5.0.0 duplicating user on
	some setups
Message-ID: <CAJnpR18n0MU5sKp5_+1-aU0xXqKkH4Exa+ZuywuLnSfaP2ePSQ@mail.gmail.com>

Hi,

I'm trying KC 5.0.0 running on Java 1.8.0_191 with a newly created Realm
simply set up with a custom User Federation (this was tested running
"standalone.sh" against the H2 database). When I login (I'm using the
"account" client/application but I think this may be irrelevant for this
matter) I get two different results:

   - on some computers I can login and logout several times using any given
   account. After doing so if I search the user by email in the Users section
   of KC's admin console I see a single entry. This is fine!
   - on some other computers, however, I can login for the first time but
   if I try to login a second time I get a PersistenceException complaining
   about Unique index or primary key violation (...) ON
   PUBLIC.USER_ENTITY(REALM_ID, USERNAME) (....). If I search for this user's
   email on KC's admin console I now see two entries: the one coming from my
   external source and an extra create by KC.

This was also tested on KC 4.8.2 with the exact same results. Have you seen
this before? Any ideas about what the problem may be?


Regards,
Leandro Nunes

From lorenzo.fili at radicalbit.io  Thu Mar 28 13:43:39 2019
From: lorenzo.fili at radicalbit.io (=?UTF-8?Q?Lorenzo_Fil=C3=AC?=)
Date: Thu, 28 Mar 2019 18:43:39 +0100
Subject: [keycloak-user] Keycloak with Okta as SAML IdP - Logout
Message-ID: <CAF42UPFRutCEnR4UwVuiRC+wc0KtAn9ftcXjGBVVtuuDiEHS4g@mail.gmail.com>

Hi,
My configuration is as follows: the web application is a confidential
client connected to Keycloak. Okta is configured as SAML IdP.
Everything works fine, but not for the logout part. Okta requires you NOT
to use the backchannel logout. This way the logout from Okta is done, but
the session and access tokens on Keycloak are not invalidated. Is it
possible to have a Single Logout with this configuration?

Lorenzo

From kapilkumarjoshi001 at gmail.com  Thu Mar 28 13:46:57 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 28 Mar 2019 23:16:57 +0530
Subject: [keycloak-user] Disabling token issuer check
Message-ID: <CAMLZ2vmgP-RvKP5kX8m3Dx66a_FC59nY2Px_Th-O1eTLb-t3bA@mail.gmail.com>

Hi All,

While trying to validate 2rd party token in a NATed environment, we are
getting error in verifying the token, due to difference in the issuer of
the token. Getting error like org.keycloak.common.VerificationException:
Invalid token issuer.Expected "keycloak-service-url" but was '
https://boxip:30003/auth/realms/myrealm'
We are using stable helm chart for deploying keycloak.
Actually there is a check to enable/disable realmUrlCheck(i.e the issuer
check). If disabled we are good to go. Then we are able to verify third
party token in NATed environment too.

My question is, will there be any security concern if we disable this
checkRealmUrl check in the adapter.

Thanks & regards
Kapil

From moreno at netguardians.ch  Fri Mar 29 03:44:22 2019
From: moreno at netguardians.ch (Kevin Perez Moreno)
Date: Fri, 29 Mar 2019 07:44:22 +0000
Subject: [keycloak-user] Keycloak Integration with Celoxis
Message-ID: <DB7PR03MB3884286C327A823341B3BC35C45A0@DB7PR03MB3884.eurprd03.prod.outlook.com>

Hello,

I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is configured to send SAML requests to our keycloak server by using the following IDP endpoint URL: https://xxx.xx/auth/realms/Demo/protocol/saml
However, I am getting an "invalid authn request reason invalid destination" WARN message in keycloak
After changing the log level to DEBUG. I found out that the Celoxis app is sending a SAML with destination URL https://xxx.xx/auth/realms/Demo/protocol/saml?
It seems that a question mark was added at the end of the destination URL. Please see DEBUG traces below. I wonder if this is the expected behavior, i.e., the question mark added at the end of the SAML Destination URL is causing keycloak to throw an invalid authn request error.
If this is the expected behavior, I wonder if there is any workaround to avoid this error (perhaps ignoring destination validation?)

17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) SAML GET
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) SAML Redirect Binding
17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9) <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0" IssueInstant="2019-03-28T16:06:47Z" Destination="https://xxx/auth/realms/Demo/protocol/saml?" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Login.do?code=netguardians"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) verified request
17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-9) ** login request
17:06:47,999 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination

Thank you in advance
Kevin

[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.netguardians.ch/>

From leandronunes85 at gmail.com  Fri Mar 29 05:28:18 2019
From: leandronunes85 at gmail.com (Leandro Nunes)
Date: Fri, 29 Mar 2019 09:28:18 +0000
Subject: [keycloak-user] User federation in KC 5.0.0 duplicating user on
 some setups
Message-ID: <CAJnpR1_FjkUqv5YFMari1kTfjedAGyMZApkKr=PCgnJTTzhRjw@mail.gmail.com>

Hi guys!

Never mind my question. As usual the problem was between the chair and the
keyboard :/.

Sorry for raising this in the first place.

Regards,
Leandro Nunes

From Arnault.BESNARD at b-com.com  Fri Mar 29 10:37:54 2019
From: Arnault.BESNARD at b-com.com (Arnault BESNARD)
Date: Fri, 29 Mar 2019 14:37:54 +0000
Subject: [keycloak-user] multiple reset credentials flows
Message-ID: <1553870272264.6431@b-com.com>

Hi,

We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.

Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.

What is the best way to solve our issue?

Thanks in advance,

Arnault


From simao.sfos at gmail.com  Sun Mar 31 08:11:03 2019
From: simao.sfos at gmail.com (=?UTF-8?B?U2ltw6NvIFNpbHZh?=)
Date: Sun, 31 Mar 2019 13:11:03 +0100
Subject: [keycloak-user] Keycloak policies eval
Message-ID: <CAEK+65U73uV5un62na5B7AuQkvFeLj4Ou=nsL269+5GfNCX9TQ@mail.gmail.com>

Hi there,

I'm  implementing keycloak for authentication in a server with spring
boot.  I'm doing something like "@RequestMapping("/login") " in java but
the policies aren't taken into account, because I can login with every user
in the client. I want something like this
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/src/main/webapp/index.jsp,
that  tells me if the user can or not access the specific client in a
resource. What should I do?

Best regards,
Sim?o Silva

From craig at baseventure.com  Sun Mar 31 15:08:45 2019
From: craig at baseventure.com (Craig Setera)
Date: Sun, 31 Mar 2019 14:08:45 -0500
Subject: [keycloak-user] Authentication Flow Changes in 5.0?
Message-ID: <CAPVdwjqneeiMXHcnDgLXqG4LjxO_-hVc=m9igO-qPOWRTwBSiw@mail.gmail.com>

I previously created a new action token/set initial password authentication
flow for Keycloak.  I know that this was working previously, but for some
reason appears to have stopped working now.  The only thing I can think
that has changed was upgrading Keycloak from the 4.8.3 version to the 5.0.0
version.  In my code, I'm creating and registering a new
AuthenticationFlowModel instance.

    private AuthenticationFlowModel getInitialPasswordFlow(RealmModel
> realm) {
>         AuthenticationFlowModel flow = realm.getFlowByAlias(FLOW_ALIAS);
>         if (flow == null) {
>             flow = new AuthenticationFlowModel();
>             flow.setAlias(FLOW_ALIAS);
>             flow.setBuiltIn(true);
>             flow.setDescription("Set Initial Password");
>             flow.setProviderId(AuthenticationFlow.BASIC_FLOW);
>             flow.setTopLevel(true);
>             realm.addAuthenticationFlow(flow);
>         }
>
>         return flow;
>     }
>

Which is called as part of my handleToken implementation:

    public Response handleToken(
>         UserInvitationActionToken token,
>         ActionTokenContext<UserInvitationActionToken> tokenContext)
>     {
>         return tokenContext.processFlow(
>             false,
>             "set-initial-password",
>             getInitialPasswordFlow(tokenContext.getRealm()),
>             null,
>             new
> UserInvitationAuthenticationProcessor(token.getRedirectURI()));
>     }
>

However, it does not seem that the password flow is ever executed.  It
seems to jump right to authenticationComplete:

         * @see
> org.keycloak.authentication.AuthenticationProcessor#authenticationComplete()
>          */
>         @Override
>         protected Response authenticationComplete() {
>
> authenticationSession.setAuthNote(UserInvitationConstants.SET_INITIAL_PASSWORD_AUTH_NOTE,
> "true");
>
>             if (redirectURI != null) {
>                 authenticationSession.setRedirectUri(redirectURI);
>             }
>
>             return super.authenticationComplete();
>         }
>

Were there changes between 4.8.3 and 5.0.0 that would impact the
authentication flow functionality?  If so, can someone point me to the
changes as well as any information I might need to know in order to fix up
my implementation to make it work again?

Thanks so much,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*