Keycloak 1.0.3 branch
by Matthias Wessendorf
Hi,
I tried picking up KC 1.0.3.Final on our 1.0.x branch:
* deployment of both WARs went fine
* accessing the `http://localhost:8080/ag-push` offers me the initial
login for admin:123
* clicking login did _NOT_ redirect me to the form where I am supposed
to update the default password.
On WildFly, I got a blank page and this stack-trace:
```
12:47:35,859 WARN [org.jboss.resteasy.core.ExceptionHandler] (default
task-10) Failed executing POST
/realms/aerogear/tokens/auth/request/login:
org.keycloak.services.ForbiddenException
at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39)
[keycloak-services-1.0.3.Final.jar:]
at org.keycloak.services.resources.TokenService.processLogin(TokenService.java:479)
[keycloak-services-1.0.3.Final.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_65]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_65]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_65]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.8.Final.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.8.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.0.3.Final.jar:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.0.3.Final.jar:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_65]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_65]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
```
On EAP 6.3. I got a 403, with this stack-trace:
```
12:50:06,377 WARN [org.jboss.resteasy.core.SynchronousDispatcher]
(http-/0.0.0.0:8080-3) Failed executing POST
/realms/aerogear/tokens/auth/request/login:
org.keycloak.services.ForbiddenException
at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39)
[keycloak-services-1.0.3.Final.jar:]
at org.keycloak.services.resources.TokenService.processLogin(TokenService.java:479)
[keycloak-services-1.0.3.Final.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_65]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_65]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_65]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.0.3.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.0.3.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
[jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
```
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
10 years, 1 month
Pushed docs for adapters clustering
by Marek Posolda
I've pushed docs for adapters clustering and support for store account
info in cookie https://issues.jboss.org/browse/KEYCLOAK-702, which seems
to be last major thing for clustering support on adapters side required
for release.
I am out tomorrow on public holidays, but back on Wednesday ready to
help with whatever is needed for release (there is some probability to
being stucked on portal again, but hopefully not...)
Marek
10 years, 1 month
Making "hello world" with Wildfly easier
by Bill Burke
Bolek made a good point to me privately. If you were creating a simple
"hello world" app, would you use Keycloak? Right now, there's a lot of
configuration steps.
1. Install keycloak server and/or adapter (unless you are using the
appliance distro.
2. Log into admin console
3. Create a realm
4. Create an application
5. Enter in all the configuration items
6. Extract a keycloak.json file (or service.xml)
7. Edit the WAR or add service.xml to standalone.xml
8. Back to admin console
9. Create some users
How could we make it better?
* Have a test realm pre-set up
* Keycloak adapter is aware of a locally installed server and of the
test realm
* adapter an automatically registers the web app with the locally
installed test realm.
* Have a JAAS User Federation SPI plugin and have it pre set up with the
test realm.
* Have IP ACL per realm so that the test realm can't be accessed outside
of localhost.
Other ideas?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 1 month
Any more issues for 1.0.3.Final
by Stian Thorgersen
Is there any more issues that needs resolving for 1.0.3.Final or are we ready to release?
If there's nothing more I'm releasing tomorrow.
10 years, 2 months
Multi tenancy support - a proposal to discuss
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
As part of a task for another project that could benefit from having
multi tenancy support in Keycloak, I scratched a proposal for this
feature and sent it as a PR (it's now on the 'multi-tenant-adapter'
branch).
In my view, multi tenancy is defined as "a way to determine the realm
of an application based on the incoming request". So, a single
application is deployed to a single application server, but the users
could belong to different realms, depending on the hostname, or an
HTTP header, or path, ... This is a typical SaaS scenario.
There's already a good "multi tenant" support at the server level, in
the form of a realm, so, I haven't bothered much in checking if it
would make sense to add this kind of support on the server (ie: a
"tenants" property in a realm).
The commit [1] adds a new abstract class, KeycloakConfigResolver, that
is meant to be extended by an application developer and builds a
KeycloakDeployment.
If an application (war) contains the context parameter
"keycloak.config.resolver" and points to a class existing on the
deployed WAR, it uses that on the AdapterDeploymentContext. On each
incoming request, this resolver is used to build a KeycloakDeployment,
used during the actual authentication/authorization, not changed by
this commit except for adding the HttpFacade.Request in some places.
When doing a rebase this morning to send the PR, I got a few conflicts
due to the clustering support. I don't know the implications of that
yet, as I'm not familiar with the clustering support, but I think a
proper final solution is to split KeycloakDeployment , so that
information about the target Keycloak server is stored in a different
place than the realm information.
I have tested this with a custom application, available at [2]. It was
tested with a Keycloak 1.0.1.Final server and with the custom adapters
deployed on Wildfly 8.1.0.Final and seem to work fine.
What I'm particularly interested in knowing is:
- - Is this the right direction to implement this feature? I have mixed
feelings about doing this at the "AdapterDeploymentContext" level
(mixed, but more on the positive side).
- - Should I refactor KeycloakDeployment , to split the server from the
realm information?
1 -
https://github.com/keycloak/keycloak/commit/37a48d49e10798d10f4509848c04e...
2 - https://github.com/jpkrohling/keycloak-tenants-poc
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJURiuwAAoJEDnJtskdmzLMx+AH/1pMBIeB40Tq5BTj6vciXJIc
ZJgcdgU+UXJbW0GLO4Nio6llSR4IprKfzkXUe/JRgfUdTFEeO90plWFCJ9k0YfZP
GaldCUdNZKwqWqiw6ZcQWIRzDeyruX0nyv08XGJ44VDtUUhXdNLv3kDDCO4hHnHd
gt5uFISj0U+JsgXR/1vXnHXzGE8hNORTe/uw+RSkjhpk6bmgbpUBSE5760RKMKNN
IhzS1AgU/9SRUBs7yaV9w2KOs9+KUQ2aAu1ABqPt5+T2EDqWfqD+chCuM5lz91te
GwXN/ZsRLTlSbb68EkyMOaWV5sM+FUA+RBG2EN5SPJcrjYxnqXp4I9TJdVa57t0=
=9d5O
-----END PGP SIGNATURE-----
10 years, 2 months
add-provider or add-service?
by Stan Silvert
When you drop a service jar into the WEB-INF/lib of the auth server, is
this always called a "provider"?
I'm making a subsystem management operation to upload a jar into the
auth server and I'd like to know if I can call it "add-provider" or if I
should go with the more generic "add-service"?
Stan
10 years, 2 months
Increase 'SSO Session Idle Timeout' on master realm
by Stian Thorgersen
Working with the admin console you often get logged-out while doing something (for example looking at documentation or configuring Google).
I propose we increase 'SSO Session Idle Timeout' on the master realm and new realms to 30 minutes.
10 years, 2 months
key and code in emails
by Stian Thorgersen
Why is there a key as well as the code query params in links sent in emails?
10 years, 2 months
Documenting SPIs, providers and keycloak-server.json
by Stian Thorgersen
To make it easier for users to configure Keycloak I propose we add a self-documenting feature to SPIs and Providers.
This would also allow us to do some sanity check on keycloak-server.json.
To achieve this we would do the following:
1. Add Spi#getDescription and update all implementations to have a short description about the Spi
2. Add ProviderDescription[1] interface, ProviderFactory implementations can optionally implement this interface. All our built-in providers should implement ProviderDescription
3. Add some sanity check of keycloak-server.json
4. Fix config in keycloak-server.json that doesn't follow the spi/provider format (applies to scheduled and theme)
Using the above details we can generate a reference guide to include in the documentation. In the future we could also make it possible to configure through the admin console.
It's only a couple hours work and I'd like to include it in 1.1.0.Beta1.
More details below.
--------------
#2 Add ProviderDescription
ProviderDescription:
* String getDescription
* ConfigOption[] getConfigOptions()
ConfigOption:
* String getName
* String getDescription
* boolean isRequired
* Type getType
Type (enum)
* STRING
* NUMBER
* BOOLEAN
* OPTIONS(String.. options)
--------------
#4 Fix config in keycloak-server.json
Change:
"scheduled": {
"interval": 900
}
To:
"timer": {
"basic":
"defaultInterval: 900
}
}
Change:
"theme": {
"default": "keycloak",
"staticMaxAge": 2592000,
"cacheTemplates": "${keycloak.theme.cacheTemplates:true}",
"cacheThemes": "${keycloak.theme.cacheThemes:true}",
"folder": {
"dir": "${keycloak.theme.dir}"
}
}
To:
"theme": {
"provider": "default",
"default": {
"defaultTheme": "keycloak",
"staticMaxAge": 2592000,
"cacheTemplates": "${keycloak.theme.cacheTemplates:true}",
"cacheThemes": "${keycloak.theme.cacheThemes:true}",
"themeDir": "${keycloak.theme.dir}"
}
}
10 years, 2 months
