Keycloak in Tomcat server
by mohammed althaf
Hi Team,
I was able to use keycloak for sso seamlessly in jboss /wildfly server.
Since my web application is running in tomcat ,i am trying to deploy the
keycloak server as well in Tomcat,
I followed
https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/
and i was able to spin up the keycloak in tomcat server.But it was using
the 1.0.2 version.
So i am trying to deploy the keycloak server 1.6.1.I faced the below issues.
1.Failed to provide mem for realmcache(please check failed to find provider
log)
So i removed the cache from keycloak-server.json
Not sure it is fine??
2 .Then i was able to procced but it again failed with h2.db
exception(please check lockout.log)
It will be great if you guys can help me resolve this issue.
Thanks,
Althaf
8 years, 9 months
Re: [keycloak-dev] [keycloak-user] How to implement long user sso sessions with reauthentication for important actions?
by Vlastimil Elias
Hi,
moving this discussion to the devel forum as it is about the feture
development now.
Toplevel issue I created for this feature is
https://issues.jboss.org/browse/KEYCLOAK-2076
I added some notes and thoughts from my investigation as a comment to
the KEYCLOAK-2076, there are some open questions how to implement it.
Originally I though I should be able to implement reauth support and
provide PR.
But I must say I'm not sure now if I'm able to implement it, looks like
it is a bit more complicated than I originally expected, so probably
some Keycloak core developer should do it.
But if you think you will not have resources to do it in 1.8 then I can
try it (with your support), as I believe it is a very important feature,
and we really want use it.
Cheers
Vlastimil
On 12.11.2015 14:50, Stian Thorgersen wrote:
>
>
> On 12 November 2015 at 14:49, Vlastimil Elias <velias(a)redhat.com
> <mailto:velias@redhat.com>> wrote:
>
> Thanks for quick reply Stian.
>
> I'm going to create JIRAs for all these things. I can volunter to
> implement some parts of this.
>
> For the last one, it should be probably cool to have
> "reauthenticate timeout" setting available in client section for
> every client (not only internal admin console and account
> management). It should allow simple implementation of "long user
> sso session" scheme even in environments where some clients can't
> be updated to set max_age on protocol level.
>
>
> Yep, that makes sense
>
>
>
> Vl.
>
>
> On 12.11.2015 14:39, Stian Thorgersen wrote:
>>
>>
>> On 12 November 2015 at 14:15, Vlastimil Elias <velias(a)redhat.com
>> <mailto:velias@redhat.com>> wrote:
>>
>> Hi,
>>
>> I'd like to use long session authentication mechanism known
>> from many
>> sites like google. facebook, linked in etc.
>> It is about really long user SSO sessions (eg. weeks or even
>> months)
>> with reauthentication for important actions when last
>> authentication
>> timestamp is older than some limit.
>>
>> Is this somehow possible with current Keycloak server and
>> Keycloak adapters?
>>
>> I see few subquestions in this problem for our use:
>>
>> *****
>> open-id connect protocol defines few auth request parameters
>> to support
>> this use case, mainly max_age or prompt=login. Are they correctly
>> implemented in Keycloak server?
>>
>>
>> We don't have support for max_age and we only support prompt=none
>> so these would have to be added
>>
>>
>>
>>
>> *****
>> Wildfly/EAP adapter - is it possible and is there some
>> example how to
>> use "reauth if auth is older than 30min" action in Java app
>> secured by
>> this adapter? Or is info about last auth timestamp somehow
>> available in
>> the app?
>>
>>
>> We don't set auth_time claim ATM so answer is no
>>
>>
>>
>>
>> *****
>> Keycloak user account application itself - it is part of the
>> Keycloak
>> server, but it contains sensitive actions which typically require
>> reathentication in this long session scheme (password change,
>> email
>> change, ...). Is it somehow possible to configure Keycloak to
>> force
>> timeout reauth for this app?
>>
>>
>> Not at the moment - but if we add what you want it would also
>> make sense to add that. Would need to be configurable through the
>> admin console. Would also be nice to have the same for the admin
>> console itself.
>>
>>
>>
>> Thanks in advance
>>
>> Vl.
>>
>> --
>> Vlastimil Elias
>> Principal Software Engineer
>> Developer Portal Engineering Team
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Vlastimil Elias
> Principal Software Engineer
> Developer Portal Engineering Team
>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
8 years, 9 months
